Where does Apple Mail & Outlook store your attachments?

Every file that is sent to you by e-mail is then stored in a specific folder.

Why Would I Need To Know Where Attachments Are Stored?

If you have ever opened an attachment from an e-mail, worked on it and pressed “Save” instead of “Save As” the document is saved to this specific location.

The location that Apple Mail saves attachments to is in the Users Library folder. The full file path is the following.

~/Library/Containers/com.apple.mail/Data/Library/Mail Downloads

To access the Library folder, you can use the “Go” menu from the Finder. If you hold the ‘alt’ key while in this menu, you will get the option of the ‘Library’ folder.

apple mail saves attachments

Or you can select the “Go To Folder” option from the “Go” menu.

go to folder apple mail

Once you select the “Go To Folder” option you will get a pop-up with a box to enter the folder locations.

go to folder apple mail

Once entered click the “Go” button, and the finder window will open the folder location. You can then move the file to a location that is easier for you to access e.g., your Desktop or Documents folder.

attachment folders apple mail

Apple Mail creates a new folder for each e-mail and names it with the unique message ID. So you will have to navigate through the folders within this location to find the correct message that the attachment came in on.

Outlook Mail Attachments

The location that Outlooks saves attachments to is in the Users Library folder. The full file path is the following.

~/Library/Caches/TemporaryItems/Outlook Temp

How Do I Access This Folder?

To access the Library folder, you can use the “Go” menu from the Finder. If you hold the ‘alt’ key while in this menu, you will get the option of the ‘Library’ folder.

outlook saves attachments

Or you can select the “Go To Folder” option from the “Go” menu.

go to folder outlook apple

Once you select the “Go To Folder” option you will get a pop up with a box to enter the folder locations.

go to folder outlook

Once entered, click the “Go” button, and the finder window will open the folder location. You can then move the file to a location that is easier for you to access e.g., your Desktop or Documents folder.

OS X Yosemite Hidden Feature Series – Part 3

Continuing on with our series looking at features of OS X Yosemite that aren’t as well known or documented, Part 3 will focus on features in Apple’s Mail client.

Despite the graphical overhaul of OS X Yosemite, Mail as an app seems to function in similar way to how it was in OS X Mavericks and hasn’t experienced the relocating of settings and options as much as some other apps. So there is no real learning required to get to grips with it for existing Mac users.

There are, however, some rather nifty new features thrown in.  As I have mentioned previously, these may not necessarily be ‘hidden’ in the sense that you cannot ‘see’ them, instead the following features may not:

  • Be obvious as to where they are.
  • Be easy to understand on what they do.
  • Be as well documented by Apple.

New Feature 1:  Mail Markup

What is it?

  • Have you ever needed to fill in a form or sign a document that you have received as an email attachment?
  • Received a photo or map as an attachment and want to highlight or comment on it?

Normally, this would entail having to save the attachment, open it in an editing app, whether that be Preview, Photoshop etc, make your changes and save the edited file, then add the newly modified file back as an attachment in an email. Rather long-winded!

Enter ‘Markup’. This handy new feature allows you to annotate an image or PDF attachment easily while staying within the Mail app. How cool!

If you have ever used the ‘Annotate’ feature within the ‘Tools’ menu of Apple’s Preview app, then you will already know everything about this feature as ‘Markup’ is essentially offering you that ‘Annotate’ tool directly within Mail.

Below is a reminder of the Annotate features in Preview:

annotate feature os x preview

You can now sketch, add shapes, text, signatures, lines or arrows directly onto an enclosed image or PDF. Change the font and colours of these too!

Looking at it another way, instead of modifying an attachment that someone else has sent to you before re-sending it back to them. You can now even add an image into a new email, directly apply your annotation to it and then send it, all within Mail without having to modify the item before attaching it!

How does it work?

It is all rather simple. If you have received an email containing the attachment in question, just select to ‘Reply’ or ‘Forward’ the email containing the attachment as normal. If you wish to send someone else an email with an attachment but directly modify it, then again, just add the attachment to the email as normal.

Next, hover your mouse over the attachment and select the ‘down-facing chevron/arrow’ from the far right of the attachment as highlighted below by a red circle (using preview’s annotate features!):
annotating mail attachments

Once you have selected the ‘down-facing chevron/arrow’, select ‘Markup’ from the pull-down menu:

markup yosemite mail

The image or PDF then ‘zooms out’, offering an annotation toolbar at the top so you can now add your notations to the attachment with mouse, trackpad or keyboard!

markup annotations mail yosemite

Let’s now see it in action!

So now we know how to access Markup, what can you do with it?
I will work my way along the options of the annotation toolbar from left to right.

Sketch

sketch osx yosemiteThe first option is the Sketch tool. With this option, you can use a pen tool so you can perform freehand drawing. Your mouse pointer will change to an ‘ink pen’ icon while you are hovering around the attachment, allowing you to click to select where you wish to start freehand drawing. Use the Shape Style, Border Color and Fill Color options to customise the size and color of your freehand drawing.

In the example below, I used the sketch tool to circle around the location of our Surrey office, the Sketch tool has then offered me some customisation options:

sketch tool yosemite

I can either keep to my ‘rough’ freehand circle, or select below to have it ‘tidied up’ :
tidied circle yosemite

I think the tidied up version is better than my freehand circle!

Shapes

shapes os x yosemiteThe second option is the Shapes tool. As it implies, this tool can create shapes, but also insert speech bubbles or arrows onto your attachment, and even has a handy ‘highlight’ and ‘zoom’ option too:

shapes os x yosemite mail

I won’t demo all these shape options since most of them are similar and straight forward, but here’s how to create a custom arrow on an attachment:

Step 1: Select the ‘arrow’ option under the Shapes feature to add an arrow with the current Shape Style, Border Color and Fill Color settings.

Step 2: You can drag the arrow around with your mouse pointer, (a ‘hand’ icon replaces your mouse arrow). You can also use the ‘blue’ end point handles to change the length of the arrow or change the angle:

using shapes yosemite mail

Step 3: Drag the ‘green’ middle point handle to change the arrow from a straight arrow to a curved arrow:

shapes arrows yosemite mail

Step 4: Use the ‘Shape Style’ option to change the ‘thickness’ of the arrow, make it a dotted arrow or to add and remove the end points of the arrow:shape style option

shape style option expanded

Step 5: You can then use the ‘Border Color’ option  and ‘Fill Color’ option to change the colour of the border or to fill in the arrow with a different colour:

change shapes colour

(Choosing the first color  will allow you to have NO border or fill colour)shapes no fill
Let’s now look at how to add a custom highlight on to the attachment :

Step 1: Select the ‘highlight’ option at the bottom left of the Shapes feature shapes highlight option

Step 2: This should add a highlighted square on your attachment, allowing you to drag the blue resizing handles to select which part of the image you wish to highlight. The image below shows a red arrow pointing to the stations nearest the Amsys Surrey Training Centre and that area of the map is now highlighted too:

highlight attachments yosemite

Highlighting a block is quite nice, but the ‘magnifying glass/zoom’ feature is even nicer. I have re-selected the highlighted area and used the ‘backspace’ key to delete this element and will now add a ‘zoom’ element instead.

shapes magnifying glass

Step 1: Select the ‘magnifying glass/zoom’ option at the bottom right of the Shapes feature.

Step 2: Again, you can drag the zoom element around with your mouse pointer, (a ‘hand’ icon replaces your mouse arrow). You can also use the ‘blue’ handle to change the length of the zoom range:

change length zoom

Step 3: Drag the ‘green’ handle to change the amount of zoom required, I have used the green handle to zoom in further on the stations I wanted to highlight:

zoom in further

shape style optionStep 4: You can again use the ‘Shape Style’ option to change the ‘thickness’ of the zoom border, make it dotted or have a shadow.

 

The ‘Border Color’ option can also be used to change the colour of the border:border colour

add border map mail yosemite

Text text tool icon
The third option is the Text tool. As this implies, this can add a free text box onto your attachment.
Simply click on the Text option to add a free text box and again you can drag the Text box around with your mouse pointer, (a ‘hand’ icon replaces your mouse arrow) and also use the ‘blue’ handles to change the length of the Text box:

text overlay

Just like any free text box on a Mac, double-clicking inside the text box allows you to modify the text to be displayed.
With the text box highlighted, you can again use the Shape Style, Border Color and Fill Color options to customise the border thickness, color and background fill color and perhaps create something like this:

text annotation yosemite mail

With Text boxes, you can also use the Text Style option  to also modify the text’s font, color, font size, bold, italic and underlined options as well as alignment within the text box:

text font change

The end result can therefore look like this with change of font, text color with bold and italic added:

text font change result

Let’s combine those 3 elements together. The arrow shape, the zoomed shape and the text box:

combine elements yosemite mail

Sign

The fourth option, is the Sign tool. Just click the Sign dropdown arrow and select ‘Create Signature’, you can then select to create a signature with your finger if using a Trackpad, or with the use of your Mac’s camera which can take a photo of your signature on a piece of paper:add signature yosemite mail
adding your signature to email yosemite

When using the camera, it will ask you to sign your name on a piece of white paper and hold it up to the camera:

adding-signature

 

It will then capture the signature and reverse the image so that it is the right way round as shown below:

sign your name

With both options, simply select Clear to try again or Done to add the signature to your annotations:

add signature

You can now select the captured signature to add it to your attachment:

add signature to email yosemite

Again, you can drag the signature around with your mouse pointer, (a ‘hand’ icon replaces your mouse arrow). You can also use the ‘blue’  handle to change the size of the text box. The ‘Border Color’ option  can also be used to change the color of the signature text should you wish.border colour

Shape Style

The fifth option, is the Shape Style tool. As mentioned during the above steps when looking at adding shapes and text, this is used to change the ‘thickness’ of elements, make them dotted, blurred or shadowed and to add and remove end points to arrows:shape style option

shape style option expanded

Border Color  
The sixth option, is the Border Color tool. This was also mentioned during the above steps when looking at adding shapes and text and can be used to change the colour of any border of elements:

change shapes colour

(Remember that choosing the first colour will allow you to have NO border color)

Fill Color
The seventh option, is the Fill Color tool. I mentioned this during the above steps too when looking at adding shapes and text, this is used to change the ‘Fill’ color of any element, such as the filled in color of a shape or the background color behind text:fill colour apple mail

fill colour palette apple mail

Text Style text style apple mail
Lastly, the final option, is the Text Style tool. Also mentioned during the above steps when looking at adding shapes and text, this is used to modify the text’s font, color, font size, bold, italic and underlined options as well as alignment within the text box:

text font change

Right, I think we’ve finally sorted out the Markup feature in Mail!
So let’s see my end result PDF after using Markup:

final annotated pdf apple mail

This was created using the steps above, but also included using the ‘duplicate’ command (or ‘CMD’ + ‘D’ keys) to duplicate some existing annotate elements I had already created to save recreating them from scratch.

As you can see, by adding a generic London travel map PDF into Mail, I have managed to use the Markup feature to clearly highlight the best stations to travel to when visiting our Soho and Surrey offices. All without having to modify the PDF first before adding to Mail!

Useful Info about Markup

Finally, here’s some useful pieces of info about this Markup feature:

  • Markup Clean Up - As noted whilst i was creating a freehand circle, Mail can automatically ‘clean up’ or smooth out your drawings to make them look nice and tidy.
  • Markup File Formats - As great as this Markup feature is, it currently only works with images/photos and PDF files. So you cannot use Markup to annotate other types of files, for example a spreadsheet created in Numbers or Excel.

The Markup Extension -  Markup is in fact not just for Mail. It is part of the new ‘Extensions’ feature Apple built-in to OS X Yosemite and iOS 8. Extensions allows code from one application to be available inside another application. We have just experienced Apple’s Markup extension allowing me to use the annotation features offered within the Preview application directly within Mail.

So where is this Markup feature actually configured if not in Mail itself?

Well, OS X Yosemite offers a brand new System preference pane called ‘Extensions’ which offers the ability to provide ‘Extensions’ to apps and the Finder. Below you can see that the ‘Markup’ extension is enabled under the ‘Actions’ section to allow editing and viewing content across apps. (Preview to Mail in this example):

mark up extensions yosemite

Extensions, therefore, have the potential to completely change how Mac apps function. Hopefully Apple will incorporate more extensions into the file system and also allow developers to make their own or add to existing ones like Markup. Currently the Markup extension has limited availability, I’m hoping more apps will utilise it soon as it is such a useful tool.

For now, though, Markup has a perfect link between the Preview and Mail apps. So much so that if you have already created signatures using Preview, (Tools menu > Annotate > Signature, or visit this guide for earlier versions of OS X’s Preview app), these will automatically appear in a Markup enclosure in Mail when you select the Sign option! Cool!

New Feature 2:  Mail Drop

What is it?

Put simply, Mail Drop is a new OS X Yosemite feature integrated into the Mail app that lets you send large attachments in Mail without having to worry whether it is too big to send and then having to think about how you can get around email attachment limits if your email server rejects your email.

There are quite a few email systems that put a maximum size limit on email file attachments, meaning you are restricted on what you can attach to your emails.
This leads you into having to think of a way round this like trying to compress the files, crop/reduce the size of images, or even getting as desperate as having to upload your files a cloud-based storage solution and pasting in a link to this in your email.

Enter Mail Drop! With Mail Drop, you can now just drag a large file into a message as normal and click Send. Mail will execute Mail Drop to magically send the large attachment, (whether it be a presentation, video or just a folder of holiday photos) without any worry about size limits!

How does it work?

So, how does Mail Drop get around these email size limits?

As long as you have an iCloud account and are logged into this on your Mac, Mail can send the attachment by uploading the file to a temporary holding area on Apple’s servers where it is encrypted and held ready for download.
Just drag your attachments into an email message, Mail Drop can then take it from there. If the receiver of your email is also using Mail in OS X Yosemite, Mail can download the large file automatically so that they will receive the email with the download attachment as normal, as if it had been attached to the message.

However, If they use an earlier version of Mail, any another email app or even webmail, they will receive your email without the attachment, but the email will contain a link to download any attachments. A link that will remain available for 30 days before being deleted. The recipient will be notified in the email along with the link, the expiration date of the downloadable attachment.

The beauty of Mail Drop is that it costs NOTHING to use and the attachments stored in iCloud do NOT count towards your free 5GB of iCloud Drive storage either!
It doesn’t matter which email service you use either, whether it be iCloud itself or something like Microsoft Exchange, Gmail, Yahoo etc.

If you do have OS X Yosemite and are using Mail but don’t have an iCloud account, or you try to send an email without being logged into your iCloud account, Mail will just ask you whether you want to use Mail Drop or not.

Let’s now see it in action!

So now we know what Mail Drop is, let’s see how we can use it!

Sending the email:

Step 1: First of all, check you are logged into iCloud. Open System Preferences from the Apple menu and select ‘iCloud’. Sign in with your iCloud name and password if not already signed in. Check that iCloud Drive is enabled, then click on the iCloud Drive Options button and check that Mail is selected in the list of apps that store data in iCloud in order to activate Mail Drop:

mail drop yosemite

Step 2: Next, we need to check that Mail Drop is enabled for your email account. Open the Mail app and choose Mail > Preferences, click Accounts, then select your email account, click the Advanced tab, make sure ‘Send large attachments with Mail Drop’ is ticked:

enable mail drop yosemite

You can enable and disable Mail Drop here for each email account. So you can choose which accounts to use Mail Drop with.
If you are using Mail in OS X Yosemite and are logged into an iCloud account, Mail Drop should automatically kick in.

Step 3: Compose a new email message in Mail and drag in a large attachment:

send large files via apple mailStep 4: Mail may display the total message size just below the “From” address. This text should dynamically change to red if attachments go over the approximate limit for third-party email providers. (My above example screenshot used a gmail account). Click to Send the message and you’re done! (Remember that the attachment needs to be sent to Apple for hosting and, therefore, there maybe a waiting period before the email is actually sent).

Remember that the message size limit warning will trigger Mail Drop to create a link to the attachment instead of including the attachment in the email.

So what if you haven’t got an iCloud account or you are not logged in to it? Or perhaps you have disabled Mail Drop for your email account in Mail Preferences? Not to worry, you can still use Mail Drop but you will need to authorise this on sending the email.

Step 1: Compose a new email message in Mail and drag in a large attachment as mentioned above.

Step 2: On clicking Send, you will receive a notification from Mail asking you whether you want to use Mail Drop or not:

send large files apple mail step 2

Receiving the email:
Remember, if the recipient is using Mail in OS X Yosemite, they will receive the attachment within the email as normal. However, other mail client apps will receive the email with links to download any attachment from Apple’s iCloud servers and a notification of the expiry date of the download:

receiving large attachments from apple mail

Useful Info about Mail Drop

Tip! Remember to check that the email was sent before putting your Mac to sleep or shutting it down. If your attachments are large, they may still be uploading to Apple in the background. So check the Activity before closing Mail or putting your Mac to sleep or shutdown. (You can check your Mail Activity by selecting the Window menu in Mail and then selecting Activity). The next time you open Mail, you may find this error caused by you closing down Mail too soon:

useful infor about mail drop

This error can also occur if you have tried to send too many attachments using Mail Drop in a short period of time.

Mail Drop Limitations

Just as I mentioned for Markup, Mail Drop doesn’t suit all situations. Mail Drop may not activate properly even if both sender and receiver have an iCloud account. The reason for this is that Mail Drop is designed to work by using the sender’s file size limits for its trigger, NOT the receiver’s file size limits.

What does this mean?

Well, let’s say that you plan to send a friend a 15MB email, and your file size limit is 40MB. The email size is well within your attachment limit, but your friend’s maximum file size limit is only 10MB. Technically, the email cannot be sent at the current size, as even though it is smaller than your limit, it is larger than your recipient’s limit.

Since Mail Drop will only consider the senders’ file size limit, in this example, Mail Drop will not trigger an issue and, therefore, the email will send with the file received by your friend as a clickable link they can download from iCloud. As the sender, you will receive a reply notification that the recipient is unable to accept a message of this size.

Apple report that Mail Drop can only be used to send files if the email ‘exceeds the maximum size allowed by the provider of the sender’s email account’. In other words, as a sender, you cannot specify a custom file size threshold with which Mail Drop will trigger. So you cannot prevent situations like my example above.

Since Mail Drop is a new feature, we can but hope that in the future Apple releases a custom size control for Mail Drop to allow senders to ensure that their recipients receive attachments without having to receive a download link.

Mail Drop does support sending multiple attachments in the same message though, however the combined total size must be below the 5GB threshold.

In case you try and use Mail Drop but it fails to send, remember to open System Preferences and look at the settings in the iCloud preference pane. Ensure you are logged in correctly to your iCloud account. Check that iCloud Drive is enabled, then click on the iCloud Drive Options button and check that Mail is selected in the list of apps that store data in iCloud in order to activate Mail Drop.

New Feature 3:  Mail HandOff

Mail in OS X Yosemite also works with HandOff, so you can start to write an email on your iPhone or iPad, then switch over to your Mac to finish the email off. Perhaps you want to add a photo or another file to the email that’s stored on your Mac.

Refer to ‘New Feature 3: Handoff’  from Part 1 in this blog series for more info on this feature.

As well as these new features, searching for/within emails, previewing and Gmail & Microsoft Exchange integration seems to be more stable and efficient compared to OS X Mavericks.
Though not new features, it’s worth mentioning these as a benefit of using Mail in OS X Yosemite.

I hope you are enjoying this blog series and finding it useful. Please note though that the features and options I have mentioned are just a collection of the ones that I have discovered and found useful and it’s not a complete feature list.

Apple does has a good overview of the main new features of OS X Yosemite on their website.

If you would like to learn more about OS X or just the Mac in general, then take a look at our collection of introductory training courses. We also have a large collection of Mac OS X and iOS IT courses, which you may find useful.

Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

These features were tested using OS X Yosemite v10.10.2 and iOS v8.1.3 which were the latest Mac OS and iOS releases at the time of writing.

What’s on at this year’s Amsys Training Summer Camp

amsys training summer camp

Join us for the annual Summer Camp this year in Portugal, our intensive training programme for Mac Admins and iOS Developers. This year we have added 2 new training tracks plus a brand new course!

What’s The Summer Camp?

The Amsys Training Summer Camp has been running for the last 10 years and provides Apple IT and iOS professionals worldwide with a unique opportunity to train in an intensive environment with industry experts and peers.

  • Intensive training experience
  • Gain valuable skills quickly
  • Learn & share with industry experts
  • Immersed in Apple tech, 24/7
  • Optional activities
  • One all inclusive package

Places are limited so please book now to guarantee a seat on your chosen track.

Where?

For the 4th year running, we will be returning to Portugal.

When?

Join our team of Apple Master IT and iOS Development trainers for this week long boot camp from the 4th – 12th June 2015.

Courses?

This year we’re offering 3 brilliant training tracks including ACTC, Mac Admin and Swift Development.

swift munki mac admin yosemite actc

The ACTC Track – Get Certified!

The Mac Admin Track – Learn To Deploy, Manage & Integrate.

The iOS Swift Development Track – Create iOS Apps Using Swift.

What’s included:

For an incredible price of just £2,495 The Summer Camp includes:

  • Flights (to and from the UK)
  • Transfers to and from the hotel & airport (in Portugal)
  • Accommodation
  • All meals
  • All training materials and exam fees (for ACTC)

Understanding the Mac OS X Keychain

Online services, banking, social media, encrypted hard drives, everything wants to know your password before allowing you access.

My list of login credentials is growing slowly and remembering them is not possible anymore. With the advance of the internet and the world of IT becoming so ubiquitous, security policies require stronger and stronger passwords that often need changing.

Well, Apple has the answer to that problem – Keychain.

The Apple Keychain Utility has been around since Mac OS 9. Its deep integration into the system allows us to work without having to enter passwords to access resources. It just makes my life so much easier without sacrificing security. The types of data stored in the Keychain utility is WiFi network passwords, credit card numbers, website passwords, certificates and secure notes.

All keychain data is stored on the hard drive of my computer. I know it is safe because the keychain data itself is an encrypted database. To unlock the keychain, I will need to know my keychain password which is also my login password.

I hope everyone understands the importance of this password. Anyone who knows it and can gain access to your Mac, can unlock your keychain and access all this sensitive data. This is why it has to be a strong one.

Over the years, I have seen people using passwords like “apple”, “password” or even a blank password. Well, you can guess the risk taken by that. So, please, use a stronger one and don’t write it down where people can easily find it.

Where is my data and how do I access it?

The keychain data is stored in ~/Library/Keychains/, /Library/Keychains/, and /Network/Library/Keychains/. The first location is where my personal keychain is stored. To access their data, I need the Keychain Utility located in the Utilities folder in the Applications folder.

I like using spotlight to access the Keychain Utility as it only takes a few keys to get there – click on the spotlight icon in the top right corner and type “keychain”. Spotlight is quick and will predict what you are looking for and get it on top of the search quickly, so you don’t even need to type the whole word. Once you open it, you have access to your Keychain.

Understanding Local Keychain Files

I will briefly explain the purpose of the most important files in these directories.

/Users//Library/Keychains/login.keychain – This keychain is created when your user account in Mac OS X is created and normally has its password synchronised with your login password. It is unlocked at login and locked a logout. This is where most of your passwords will end up in. Its password is changed when you change your login password or using the Keychain Access utility.

/Users//Library/Keychains/ - UUID stands for Unique User ID – This identifier does not match your OS UUID. It is created when the account is created. This is where your iCloud keychain is stored but if the service is not enabled, it will appear as “Local Items” and be renamed to “iCloud” when the service is enabled. The iCloud keychain service allows passwords and other types of data from it to be synchronised with your other Apple devices like you iPad, iPhone or another Mac. The only requirements are that all these devices are using the same Apple ID account, and the OS supports the iCloud keychain service (Mac OS X 10.9 and above, iOS 7.0.3 and above).

/Library/Keychains/System.keychain – The System keychain stores items that are accessed by the OS and shared between user to allow, for example, everyone on the Mac to be able to connect to a WiFi network. Only administrators can change its content.

/Library/Keychains/FileVaultMaster.keychain - This file is created by the system when FileVault encryption service is enabled on your Mac. The OS manages its content.

/System/Library/Keychains/ – This is another location that can store loads of keychain files. Its content is managed by the system and other application. Most of them will not appear in the Keychain Access utility however, all users benefit from it.

iCloud Keychain

A major change to the Keychain was the introduction of the iCloud Keychain. This is my favourite feature because it takes all iOS compatible keychain entries and uploads them securely to your Apple ID account. This not only allows all your compatible devices to be able to access usernames and passwords but keeps them safe in a form of a backup in case of a disaster. I know my data is safe as a 2-step verification process is activated automatically allowing you to set an additional code and SMS verification from another device.

The Keychain Access Utility

The Keychain Utility is located in the Utilities folder in the Applications folder. Your password is not required to open it, however, if you want to view a password of any of its items, you will be prompted for your login password.

When you double click on an entry, the window will display its Attributes and Access Control parameters. These attributes include the name and type of the service, network location or the application the entry is for, your username if one exists and a field for the password which appears blank until the “Show password:” box is ticked, and you authenticate. The Access control tab will show you what is allowed access to that specific entry with a few adjustments available.

os x keychain yosemite

Troubleshooting

There may be times when the keychain gets corrupted, and you cannot access your data. Fortunately, the Keychain Access application has a built-in repair tool called Keychain First Aid that can be accessed from the Keychain Access menu. The tool requires your keychain password to allow you to verify and rebuild it and will only work on keychains you own as a user.

So, what do you think? Feeling a bit more comfortable with the idea of trusting machines with your passwords over your notepad? I certainly do myself.

Creating Config Profiles instead of a First Boot Script

As a follow up to my first boot script blog, I wanted to spend a bit more time with configuration profiles to see if they could be used to replace some or all of it.

It has become increasingly apparent that Apple is in favour of managing settings via configuration profiles and the MDM system so we thought it was time to modernize the techniques we are using. In addition to this, while we have used a first boot script for quite a few of the recent OS versions which have worked great, with 10.9 and now 10.10 there were a few things that have been bugging us:

  • Having to work around preference caching.
  • Write lots of data into existing user homes and the system user template folder.

Preference Caching

Preference caching broke quite a few scripts people were using to configure OS X settings.  Traditionally, OS X and most applications use XML files stored in specific locations (Library/Preferences folders) in the root of the hard drive, the System folder and each users home folders.  You could use various methods to write data into these files, or even replace the files to affect the associated settings. 

Although introduced earlier, certainly since 10.9 the operating system started caching the information stored in these XML files.  If you edit the files directly, the change you made often gets replaced with the cached version.  Ben Toms has a great article on preference caching that explains it in more detail here.

There are commands like “defaults” that are preference caching aware which is good for one line key/value pair edits and entries. For more complex plists you can use Python, which is using CFPreferences, so would also work.  Some of the other commands like plistbuddy require you to kill cfprefsd before making changes, unless you’re editing files on a non-booted volume.

Configuration Profiles are also able to work with preference caching and apply as soon as they are deployed to the target device and so are the main focus for this blog.

Writing data into user homes and the system template

The second reason for wanting to use profiles is to avoid writing data into user home libraries and the System user template.  These methods generally avoid preference caching as they aren’t actually in use (although this isn’t guaranteed).  

The System folder has always been considered Apple’s domain so anything we put in there has the risk of being wiped out with an OS or other system related update.  To change the settings for existing user home folders, we had to use a loop in the script that contained the necessary commands to insert the key/value pairs.  This also worked, but is quite complex.

What Settings Could We Switch To Config Profiles?

The first boot script we use has quite a lot of different jobs to do so the first task was to list them out and investigate whether they could be switched to configuration profiles.  The below table lists each task and whether a config profile worked.

Task Profile? Notes
Creating a local admin account No Not possible with a profile, but can use the new 10.10 tool sysadminctl
Setting time zone and time server No The time zone and NTP server addresses are stored in /etc/localtime and /etc/ntp.conf respectively.  These are traditional UNIX Config files and can’t be manipulated with profiles.  Luckily the systemsetup command makes the process nice and simple.
Region, keyboard and language Yes Keys set in the com.apple.HIToolbox.plist and .GlobalPreferences.plist files.
Apple Remote Desktop No Similar to setting the time zone and server, there is a purpose built binary that can achieve this so no need to switch it to a profile
Enabling SSH access No Same as above, the purpose built command line binary works best
Setting up the Login Window Yes Keys set in com.apple.loginwindow.plist
Disable iCloud Setup at login Yes Keys set in com.apple.SetupAssistant.plist
Disable diagnostics at login No The plist file is stored in a non-standard location (/Library/Application Support) so profiles aren’t any use.
Disable Time Machine Popups Offering for New Disks Yes Keys set in com.apple.TimeMachine.plist
Turn off Gatekeeper Yes Available in the GUI configuration profile settings
Turn on right-click Yes Keys set in a bunch of mouse and trackpad plists (more details below)
Turn off restore windows Yes Key set in .GlobalPreferences
Stop writing .DS_Store files on the network Yes Key set in .GlobalPreferences
Set the Users Homepage Yes Key set in com.apple.Safari.plist

 
 
Creating a config profile

There are two main options for creating configuration profiles, either in a graphical interface, or by creating custom XML files. Some of the tasks above require the use of custom config profiles. These are used to set XML keys that are not available in the standard GUI options.

The core part we are interested in can be shown in this example snippet from the com.apple.TimeMachine.plist profile:

<key>PayloadContent</key>
<dict>
	<key>com.apple.TimeMachine</key>
	<dict>
		<key>Set-Once</key>
		<array>
			<dict>
				<key>mcx_preference_settings</key>
				<dict>
					<key>DoNotOfferNewDisksForBackup</key>
					<true/>
				</dict>
			</dict>
		</array>
	</dict>
</dict>

The Easy Ones

There were a few preference settings that could be replaced with simple checkboxes and dropdown menus. These were:

Some of the login window options

Although there are custom settings we have been adding into the login window preference file, the majority of the options can be set in the GUI:

custom settings config profiles

custom settings config profiles options

Security & Privacy

We would normally set the Gatekeeper options using

spctl --master-disable

but this can be set in the GUI as below:

security and privacy config profiles

Custom Settings

There are a few ways you can create custom configuration profiles.

Upload the plist file directly

Depending on the MDM system, in some cases you can simply upload the configured preference file. To get the preference file setup, I would normally recommend using a cleanly installed version of OS X and removing any keys that you don’t want. So if I wanted to set a few keys in the com.apple.TimeMachine.plist file, I would use the terminal to add the necessary keys such as:

/usr/bin/defaults write /Library/Preferences/com.apple.TimeMachine DoNotOfferNewDisksForBackup -bool true

Then I would take a copy of the preference file so I can amend it:

mv /Library/Preferences/com.apple.TimeMachine.plist /Users/dave/Desktop/

Then we need to convert it from binary to xml so we can edit it:

plutil -convert xml1 /Users/dave/Desktop/com.apple.TimeMachine.plist

Once you have an xml version of the file you can open it in a text editor and remove any keys you don’t need in your profile.

This edited preference file can then be uploaded into your MDM.

Convert to a Configuration Profile first

The second option is to convert the preference file into a configuration profile. This will allow you to deploy the setting using a large range of tools including an MDM server, Munki (since version 2.2) or using the profiles command in the Terminal.

It is possible to create a mobileconfig file directly in a text editor. There are a bunch of profile specific xml keys such as:

<key>PayloadDisplayName</key>
<key>PayloadRemovalDisallowed</key>
<key>PayloadUUID</key>

Note - not a full list of mobileconfig keys

and the core

<key>PayloadContent</key>

that contains the management settings.

Luckily, Tim Sutton has created a very handy script called mcxtoprofile.py (available here). This script allows you to (amongst other things) specify a plist file as the input and have it create the mobileconfig file for you. Here’s an example command:

mcxToProfile.py --plist com.apple.TimeMachine.plist --identifier DoNotOfferNewDisksForBackup

By default, configuration profiles lock the settings they are managing. In lots of cases, this works fine but in some cases, particularly when you start dealing with custom profiles and third party applications, locking the settings will either cause the managed setting to be ignored, or make the application crash.

To get around this, you need to change the default profile behavior so the setting is set, but unlocked so the corresponding application can change it if it needs to. You can do this per preference file in the profile with one of the following keys:

Always –

<key>Forced</key>

– This will lock the setting (default behavior)

Often –

<key>Set-Once</key>

– This will set the key initially and then reset it each time a user logs in (if they change it)

Once - Combining the

<key>Set-Once</key>

with

<key>mcx_data_timestamp</key>

set to the current NSdate will allow the setting just to be set once. This is useful if you want to set up the users environment a certain way for their first login, but allow them to change it afterwards.

Always:

mcxToProfile.py --plist com.apple.TimeMachine.plist --identifier DoNotOfferNewDisksForBackup --manage Always

Often:

mcxToProfile.py --plist com.apple.TimeMachine.plist --identifier DoNotOfferNewDisksForBackup --manage Often

Once:

mcxToProfile.py --plist com.apple.TimeMachine.plist --identifier DoNotOfferNewDisksForBackup --manage Once

Final First Boot Script

As I mentioned at the start, there are a few settings that couldn’t be set with config profiles, or were so easy to do with a terminal command it wasn’t worth switching across.

In these cases, we kept the first boot script code. You could turn these into a series of payload free packages, or if you are using Casper, add them to individual policies to be triggered as required.

Below is the script we ended up with:

#!/bin/sh
 
# Requires 10.10 or higher.
 
# Create a local admin user account
sysadminctl -addUser localadmin -fullName "Local Admin" -UID 499 -password "apassword" -home /var/localadmin -admin
 
# Set the time zone to London
/usr/sbin/systemsetup -settimezone "Europe/London"
 
# Enable network time servers
/usr/sbin/systemsetup -setusingnetworktime on
 
# Configure a specific NTP server
/usr/sbin/systemsetup -setnetworktimeserver "ntp.amsys.co.uk"
 
ARD="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"
 
# Switch on Apple Remote Desktop
$ARD -configure -activate
 
# Configure ARD access for the localadmin user
$ARD -configure -access -on
$ARD -configure -allowAccessFor -specifiedUsers
$ARD -configure -access -on -users localadmin -privs -all
 
# Enable SSH
systemsetup -setremotelogin on
 
exit 0

Summary

So now we have the config profiles in our MDM. When a device enrolls it falls into the necessary groups and configures its settings based on the XML information.

If anyone wants to grab a copy of our completed mobileconfig files and the amended first boot script, you can get them on our github page here.

Apple is clearly pushing profiles as the primary settings management method so its worth spending some time with config profiles and seeing what you can switch over to them.

Quick Tip: How to open System Preferences quickly

If like me you regularly access System Preferences to change settings then the following tip may help you open System Preferences quicker.system preferences osx

Open System Preferences using Keyboard Shortcuts:

On your keyboard use ALT + F2, which opens up the Display system pane. Then use CMD + L, which will change from the Display system pane to the main System Preferences.

Open System Preferences using Spotlight:

On your keyboard use CMD + SPACE to display the Spotlight search (top-right menubar) where you can simply type the keyword sys which should then display and select System Preferences, and then hit the RETURN key to open.

How to delete Keychains at logout

keychain logoutI’ve been asked quite a few times whether it’s possible to disable the Keychain functionality in OS X. This is a fairly critical part of the OS, so the short answer is no, but there are some workarounds that suit certain environments, particularly deleting the Keychain at logout.

Why would you want to do this?

For anyone new to the topic, the Keychain is a feature introduced years ago by Apple to securely store users’ passwords and to make them available to other applications. The functionality was built-in to a load of OS X features and apps like Mail, Safari and the Finder.

Apple also made APIs available to developers so they can integrate the Keychain into their apps. So if a developer needs a user to authenticate to use their app, they can store and retrieve credentials from the user’s Keychain.

So while this all sounds good, there are a few situations where the Keychain can get in the way. The most common issue is when password policies are being used to force users to change their passwords on a regular basis.

If they have been storing the password in their Keychain for things like file servers and email, and then change the password to something else, they will get Keychain errors, or worse, locked out from some applications as OS X tries to send the old (incorrect) password to the service.

Another problem is when users reset their password outside of OS X. This happens a lot in schools as students forget their passwords and have to have them reset in AD.

When the student logs back into a Mac that has a local copy of their Keychain the passwords won’t match, presenting them with an error. This is even more likely if the Macs are in shared classroom / lab setups. The users will be leaving a breadcrumb trail of local Keychain files making the problem much worse if their password is reset.

Deleting the Keychain at logout

A popular way to avoid this issue is to delete the Keychain at log out. When a user logs in, if no Keychain file is present in ~/Library/Keychains, the OS will create one based on the user’s current password. This means that all you have to worry about is deleting the old one before that point.

The script:

	#!/bin/sh
 
	rm -Rf /Users/$USER/Library/Keychains/*
 
	exit 0

This script will simply delete anything in the user’s ~/Library/Keychains folder, forcing the OS to create a new one next time they login.

To create it, use a “coding” text editor (Sublime Text, TextWrangler, BBEdit, Fraise, etc.) and add the code above. Save it with a .sh extension in a location accessible by all user accounts, and make sure it is executable.

We normally recommend making a new folder in /Library with the company name to store these types of things. If this were for Amsys, I would use the two following steps to create the folder and set the necessary permissions:

  1. In the Terminal, type “sudo mkdir /Library/Amsys”
  2. Copy the script you created into the folder
  3. In the Terminal type “sudo chown -R root:wheel /Library/Amsys”
  4. In the Terminal type “sudo chmod -R 755 /Library/Amsys”

All the above commands will need to be run as an admin user.

Getting the script to run

Once all this is in place you need to get the script to run each time a user logs out. To do this, you can add a new Logout Hook:

In the Terminal, type:

sudo defaults write com.apple.loginwindow LogoutHook /Library/Amsys/name_of_script.sh

You just need to adjust the path based on your company folder name and change “name_of_script.sh” to whatever you called the script when you saved it.

A note about Logout Hooks

When you use the defaults command to add a login or logout hook to trigger scripts, you are adding XML entries into the com.apple.loginwindow.plist file. This functionality has been deprecated by Apple, meaning it may be taken away in a future release of OS X. This is fine for login hooks as we have LaunchDaemons to replace them. It does, however, present a bit of a problem for logout hooks as there is no equivalent replacement.

There have been a few creative alternatives popping up on the Internet, but Apple has not indicated any plans to replace the functionality. So while it will work for now, this is worth taking into account when choosing to setup logout hooks.

Munki 2: What’s New in Munki 2.1 and 2.2

Hi all. Well, since we published my intro to Munki 2 blog, Greg has continued his forward march and released two full versions since!munki 2

This blog will give a rough overview of the shiny new features in these releases!

So, Munki 2.1?

Munki 2.1 was released on 16th December 2014 with 2 main new features (excluding localisation work):

  • Replacing the use of ‘curl’ for the munki repo communications with Apple’s NSURLConnection.
    • This works around an issue with Mavericks and the use of Client SSL certificates to authenticate against the Munki repo. I saw this issue first hand and the workarounds typically involved installing custom versions of the command line tool Curl. Not ideal with you’re trying to use as little custom items as possible, like Munki is.
    • Full support for the deployment and installation of Adobe Creative Cloud Packager installers.
      • These are the product of Adobe’s Enterprise packaging tool and can be temperamental when used in deployments (not just with Munki). This update adds full support for them into Munki.

And Munki 2.2?

Munki 2.2 was released on 27th January 2015 with one huge new feature:

  • Munki now can accept, push out and install Configuration Profiles without wrapping them in installers or scripts.
    • This allows the pushing out of (computer level) profiles through the Munki system without requiring a system to wrap the profiles, or to check if they need to be installed (with custom install check scripts).
    • Additionally, Munki now creates and uses hash keys for the icons of packages, thereby only downloading the new icons when needed.
      • This should cut down on your network traffic relating to grabbing the icon files, which can only be a good thing!

Summary

There you go, two fairly major updates out in a matter of months. Has anyone tried the new updated versions? Any interesting stories? How about any cool new Munki tricks you’ve learnt? Let us know below and I’ll try to respond to and delve into as many as I can.

 
Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

 

Amsys open 2nd location in Soho, London

amsys poland street

For the last five years, our London office has been based on Berwick Street in Soho. Here our expert team of Apple Certified Trainers and Technicians have been providing a range of Apple Authorised services to businesses based in London.

In response to increasing demand for our “walk-in-Mac repair” services, support and iOS Development training, we opened our second location in London last week.

This new location, which can be found on 44 Poland Street, will act as our Apple Services and Support Centre, just a short 4-minute walk from the Apple Store on Regent Street. Meanwhile, the Berwick Street location will operate as our Mac OS X & iOS Training centre.

What can you expect from Amsys’ New Apple Service & Support Centre?

Tech Bar & Walk in Apple Repair Services

Business users and Apple fans alike can pop into our new Apple Service & Support Centre to have your Apple devices serviced, fixed or replaced. You do not need an appointment to guarantee a repair, simply walk in and grab a seat at the sleek tech bar to have a chat with our team.

We are one of the UK’s largest Apple Authorised Service Providers and, as such, can repair and replace all in and out of warranty Apple devices including, iMacs, MacBooks, iPads, iPods and Apple TVs.

All repairs are performed onsite in our new state of the art, Apple Certified, workshop, with a typical turnaround time of 3-5 working days for each service.

Apple Authorised Training

To support increasing demand for Apple Certified, Advanced and iOS training courses we have also added an extra training room, to complement our two other classrooms on Berwick Street. Training will take place in state of the art conditions, using the latest Apple Tech, led by our Apple Master IT Trainers and/or experienced iOS Development Trainers.

Dedicated Service Desk

Recent rapid growth has led to the opening of Amsys’ second dedicated service desk facility at the new premises, enabling our Apple Certified techs to visit Amsys’ London based clients as and when needed. Here, our team of fully certified consultants and technicians will provide Apple support, consultancy and associated services to London’s businesses, schools, and universities.

Comment from Alex Hawes, our MD

“Opening a second location in Soho, London has been the natural next step for Amsys as growth accelerates across our six divisions. With five locations across the UK, we have securely positioned Amsys as the market leading technical partner for organisations that rely on Apple devices and third party tools. The future certainly looks bright, with plans to employ more techs and to release a range of innovative solutions. ”

For more information about our Apple services, events and much more, please subscribe to our blog or email info@amsys.co.uk.

Mac Myriad Podcast #1

mac myriad south africaMac Myriad (formerly known as Mac Tech SA), founded by Apple Trainer, Lee Balsdon, is a user group for Mac admins, techs and Apple fans in Cape Town, South Africa. The community has been running for just over year, providing a variety of monthly events for Apple Professionals.

Last week, Lee launched their first podcast to chat to international and local Apple experts about all things that matter in the world of Mac and iOS.

We were honoured to be invited to take part in their debut show, alongside Charles Edge (Bushel, Krypted.com)  and Karen Hart (Picster Books) for an entertaining discussion about all things Apple!

Listen to the podcast to hear:

Charles Edge talk about Bushel; the Amsys team chat about the history and future of Revise IT, and Karen’s inspiring iDeaf Project.

Plus:

  • Thunderstrike
  • Favourite Apps
  • Apple’s Quarterly Earnings

and much more!

Subscribe to the podcast on iTunes or listen on Soundcloud now.

Munki 2: Upgrading Your Munki Repo and Administration Mac

Hi all. Welcome to the second part in my Munki 2 blogs: The on-going guide to get Munki newbies up and running with a basic setup to cut your teeth on!

This blog is designed as an ‘updater’ blog to my previous two Munki blogs: “Configuring Munki for a Mac Server” and “Munki Configuration Part 2: Admin Mac”.

Also, I realised in my intro blog, I used the term ‘Munki Server’ for the Munki Repo and I got a little stick about it. Rather then argue semantics, please assume that if I use the terms ‘Munki Server’ or ‘Munki Repo’ I’m referring the same thing, specifically the server that hosts all the Munki data you are serving to your clients.

My Demo Setup

Just for clarification, my demo setup for these instructions and screenshots is as follows:

Server and Client OS: OS X Yosemite 10.10.1
Server app: 4.0.3
Munki Tools: 2.2
Example Package: Mozilla Firefox v35.0.1

Repo-side Upgrade

To be honest, there’s only one repo server-side change for a generic setup and that’s the inclusion of an ‘icons’ folder at the root of the Repo.

repo side upgrade munki

Now this folder will be created on demand when you first use the updated munkiimport tool to upload a package and create an icon for it. You could create this manually (say if you don’t have permissions to create new directories at the munki_repo root), just ensure it has the same permissions as the other directories, for example the pkgsinfo directory.

Administration Mac Upgrade

For your administration Mac, run the updated Munki 2 installer. As mentioned on the previous ‘part 2′ blog on step 7, if this Mac will not be running Munki client, simply use the ‘Customize’ option to deselect the “Managed Software Centre” and “Munki launchd agents” whilst running the installation.

administration mac upgrade

Munkiimport Updated!

With the new options, some changes were made to the Munkiimport command line tool to simply take advantage of these. This is in the form of three new (optional) questions asked when importing an item:

  • Category
    • Allowing you to manually specify the Category you’d like to have item displayed under. The most benefit would be seen if this item is an optional install.
    • Simply enter the desired Category and it’ll be added to the pkgsinfo file for the item.

munkiimport updated

  • Developer
    • Allowing you to manually specify the Developer you’d like to have item displayed under. Again, the most benefit would be seen if this item is an optional install.
    • Simply enter the desired Developer name and it’ll be added to the pkgsinfo file for the item.

munki developer

  • Icon
    • Icon is a little different from the other two. Munkiimport will first check if the Icon already exists matching the name of the Item. If not, it’ll offer to try and extract one. This generally only works for DMG or standard Apple pkg installers.
    • If a suitable Icon is found, it’ll upload the icon into the ‘icons’ directory on the munki_repo (creating the directory if not present), with the ‘[item name].png’ as the filename.
    • Finally, if successfully, it’ll add the path to the icon into the pkgsinfo file.
    • The icon will be shown next to the item in the new Managed Software Centre client application.

     

munki icon

Final Result

Following on from the above, I added Firefox to the optional installs on my test Mac and this is how it looked in the new client application:

add firefox options installs munki

Summary

There you go. As always, I hope it helps someone out and gets you onto the new (and awesome) Munki v2. Tune in for the next part where I’ll discuss upgrading the Munki Clients.

For these blogs, I’d always recommend reading the documentation (as Munki is a powerful tool) over at its new home on GitHub.

As always, if you have any questions, queries or comments, let us know below and I’ll try to respond to and delve into as many as I can.

Note: Regarding Running a HTTP Munki Repo on OS X Yosemite Server

One little thing I did find that has changed with using the web service on OS X Yosemite Server is, by default, all HTTP requests are redirected to HTTPS. In a normal Web Server configuration, this is exactly what you want, with all communication between the Web Server and the Web Client being encrypted.

However, if you’re running a Munki Repo on HTTP and haven’t (yet!) got round to configuring HTTPS it will stop Munki clients from reaching your repo. Don’t worry, this is purely a tick box in the server app and can be disabled by:

  1. Launch the Server.app and navigate to the “Web” service.
  2. Find your default website and double click it.

Read Munki 2: An Introduction Here.

 

Disclaimer:
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Deploy a Firefox CCK2 package with Munki

Hi Munki / Firefox admin!

I’ve been known to use both JAMF’s Casper suite and Munki, situation dependent, but recently all of my Firefox CCK2 posts have been geared for Casper admins. Time to give some love to Munki in this area!

This blog assumes you have packaged the autoconfig files that CCK2 outputs and are ready to deploy them. It also assumes you have already got Firefox installed in your Munki Repo, either manually or via AutoPKG.

I have written the details using Munki Admin to take advantage of the easier GUI to show what’s happening. If you’d rather use the command line tools and edit the pkginfo files directly (and why not?) or you administrate your Munki setup without using Munki Admin, you should be able to take what I’ve written and easily translate it over to manually editing with the appropriate tools.

As always, this is how I have resolved the challenge I was faced with. I don’t make any promises that it’s the best way and I’m very open to hearing others’ opinions!

Package Info for your CCK2 package

1. Nice and simple. Import your CCK2 installer package into Munki, either using ‘munkiimport’ or Munki Admin. If you’ve used ‘munkiimport’, open up Munki Admin.

2. Find your newly added installer, and double click it to view and edit the pkginfo file.

3. (Personal Preference but) I would suggest ticking the ‘unattended install’ so that this ‘restrictions’ profile can be installed without alerting the user. The user will still be alerted if there are any installs / updates that are available that do not have ‘unattended install’ ticked.

4. Go to the “Requirements” tab. Add your ‘Firefox’ installer into the “Update for” section.
This will mean that you don’t need to add the CCK2 installer to a manifest and it will install after the Firefox installation (and not be replaced!)

editing firefox 35 cck2 installer

5. Click “OK” and then run ‘Save’/’Make’ to save the changes to the appropriate files.

6. This should now deploy fine.

What if this CCK2 installer is for a specific version of Firefox?

Ah, so you’ve read my previous blog about Mozilla changing the location of the CCK2 files between versions of Firefox? In this case, you’ll have a little more work to do. Once you’ve completed the above steps:

1. Navigate to your Munki Repo and find the pkginfo directory.

2. Open the pkginfo file for the CCK2 installer package in your favourite script-editing app (avoid word processes, such as Microsoft Word, and TextEdit as these can screw up the formatting of these files, thereby making them unusable).

3. Find the “update_for” key, and change this from “Firefox” to the full name of the pkginfo file (without the .plist) for the version of Firefox that this CCK2 installer is for.
e.g. To set my pkginfo to be for my Firefox-35.0.0.plist I will modify the CCK2 pkginfo from:

modifying firefox 35

to

modifying firefox 35

4. Save the file, and run the ‘make’ from Munki Admin, or the below command in terminal:

/usr/local/munki/makecatalogs

5. This should now only install the update, if the Mac is detected as having Firefox v35.0 installed (as detected by your Firefox-35.0 pkginfo).

Installation Detection

Now you will find you experience at least one (likely both) of the below scenarios:

  • If a user was to replace the entire Firefox application, or manually remove the CCK2 files, they will be able to remove the restrictions, and Munki won’t know to reinstall them
  • Munki will not be able to detect the installation of the CCK2 package and so will ask to update it at every Munki run.

More information for this can be found on the Munki site, however; it boils down to telling Munki (via the pkginfo file) what items correspond as the installer being ‘installed’.

This can be achieved through either an Installs Item/Array or an Install Check Script.

Please Note: Munki works through a priority list to determine which method to use to detect if an install is required. Regardless of the success or failure of the detection, it will stop when it finds the required information in the pkginfo, e.g. If you provide an Installs Array and an Install Check Script, it will only use the Install Check Script and will not failover to the Installs Array. The priority order is:

1st - Install Check Script
2nd - Installs Array / Items
3rd - Receipts

Installs Array

The first method I’ll show you is the Installs Array method. Again, as mentioned above, I’ll show you the Munki Admin method to try to make it as easy to follow as possible. Those who are happy to edit the pkginfo files, please feel free to do so! It would also help to know the actual files and directories that are being deployed.

1. Run the CCK2 installer package on a test device.

2. Install and Configure access to the Munki Repo from this device. Launch the Munki Admin application.

3. As before, find the CCK2 installer package, and double click it to view / edit the pkginfo data.

4. Navigate to the “Contents” tab. The top box is where the Installs Items are listed.

5. Open a Finder window and one by one drag in the files that the CCK2 installer deploys.

6. My example ended up as this:

editing firefox 35 munki

7. Click “OK” and then run ‘Save’/'Make’ to save the changes. This should now correctly detect when the package has been correctly installed and also reinstall should any of these files be missing (for example, should a user replace the Firefox application).

8. The relevant area of my final pkginfo file looked like this:

final pkg info file firefox munki
Install Check Script

So you didn’t like the Installs Array method? Or maybe you are intrigued as to other ways you could maybe carry out an amazing “Stupid Munki Trick” (https://github.com/munki/munki/wiki/What%20Are%20Stupid%20Munki%20Tricks)? In that case follow on. If not, please skip this bit.

1. Launch Munki Admin and access the CCK2 Installer pkginfo as mentioned above.

2. Go to the last “Install Check Scripts” tab. Check the left hand tick box and use the large left hand text window to write your script. The general rules are:
a. Any language that the Mac Supports, Munki will also support.
b. Most Importantly: An exit code of 0 means the item needs to be installed. Anything else means the item does not need to be installed.

3. For this example, I’ll cheat and use my CCK2 Casper Extension Attribute script to cut corners.

cck2 casper extension attributes script

4. I’ve changed line 36 to be “exit 0″ as this is when the CCK2 items will need to be reinstalled.

5. I’ve also changed line 39 to be “exit 1″ as this is when the CCK2 items have been detected as being installed.

6. As before, click “OK” and then run ‘Save’/'Make’ to save the changes

Summary

There you go. As always, I hope it helps someone out and saves you some time as well as give you more ideas for how to work with your Munki solutions.

As always, if you have any questions, queries or comments, let us know below and I’ll try to respond to and delve into as many as I can.

Disclaimer:
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

What will you do when your Macs aren’t covered by Warranty?

Macs play an increasingly important role in Enterprise and Education markets; and, therefore, it is important that your Mac hardware is protected against faults, damage and inevitable wear and tear.

Protecting your device(s) warranty

Apple have put in place a number of key requirements to ensure that your Mac gets the highest level of service and its hardware’s warranty is not invalidated when you send it in for a service, repair or upgrade. These include:

  • Only allowing Apple authorised parts to be sourced.
  • Only allowing Apple Authorised repair centres to fit the parts.
  • Tough regulation on the environment the repair is carried out in and processes the repair must follow.

Failure to meet these can invalidate the warranty.

Scales of Apple Warranty

For the first year of an Apple device’s life, Apple provides 1 year warranty that covers all parts and labour.

You can also choose to take out the “Apple Care Protection” (APP) plan, which covers your Mac hardware for the subsequent 2 years.

However, as your Mac enters their 3rd year of usage or are over 1 year old, without APP, this presents many companies with a very difficult decision:

Do you:

a)  Refresh your entire Mac fleet with new devices.

b)  Continue to use the devices but risk potentially hefty repair bills over the next few years?

As experienced tech users, we all know that Murphy’s Law hates gadgets!

Typically, Murphy’s Law tends to kick in the day after your warranty runs out and your cat decides to knock your MacBook off the table… or worse.


Amsys Alternative

Amsys offer organisations with a large Mac fleet another option. Devices over 3+ years old (or over one year without an extended warranty) can be enrolled in our “Break / Fix Contract.”

From as little as £105 per year, this hardware contract covers:

  • All parts,
  • All labour,
  • All carriage,
  • All diagnostics,
  • Priority repair service.

If you want to find out how you can continue to insure your Apple Devices, without having to renew your entire fleet, or pay for Out of Warranty repairs; then please contact me (Henry Capper), email henryc@amsys.co.uk or call 0208 660 9999.

 

 

Download all of the GarageBand / Logic Pro X Content Loops for deployment

Back in November, I had a conversation over Twitter with @TechGrlTweeter about how to capture and deploy the GarageBand loop installers. Now some Mac admins prefer to use network packet capture tools such as “Charles Web Proxy” however the method I suggested uses no additional applications and requires a lower technical skill level to do.

Content Loops?

Ok I may not have started clear enough. A little ago, Apple stopped shipping iLife suite installers for GarageBand, iWeb, iDVD, iPhoto and iMovie and instead utilised the Mac App Store for these products, as well as for Logic Pro X. To minimise the download size of GarageBand and Logic Pro X Applications, the content / music loops were separated.

When these Applications are first launched, they try to download and install the content, with this totally over 10s of GBs of data (especially for Logic)! Additionally, Apple will occasionally release new content packages, which are then downloaded the next time the Application is launched.

In environments that manage their Mac devices (particularly Education departments) they will need to deploy these additional content packages with GarageBand and Logic Pro, otherwise users face a lengthy wait on first launch. Not an ideal user experience!

The question is how to catch and include these content packages. With a monolithic image, this is simple as the loops can be downloaded and included in the image. With a modular image, or if Apple release an updated content package, you need to use another technique.

Capturing all of the Content Packages

In the examples, I have used a fresh version of Mavericks 10.9.5 and an un-launched copy of GarageBand, but the process is almost identical for Logic Pro X and for when Apple releases an additional content package.

1. Launch GarageBand or Logic Pro X. You should either be prompted to download the new content or it will start automatically.

capturing content packages garage band

2. This will take some time, especially with Logic. Go make a cup of tea / coffee and generally leave the Mac to one side. Dependant on the size and number of content packages, and the speed of your connection, it may even be advisable to leave it running overnight.

downloading installing garage band

3. Eventually the progress message under the loading bar will change from an ETA to “Installing…” and an authentication window will appear asking for administration details. DO NOT FILL THIS IN AND DO NOT CLOSE THIS WINDOW!

installing garage band

4. Move the authentication window and the GarageBand / Logic Pro window to one side and go to your Finder application.
5. In Finder, select “Go” then “Go to Folder…”

authenticate garage band

6. In the box that appears, type “/var/folders/” and click “Go”. This path is case sensitive but you can use tab-completion to fill it in.

var folders garage band

7. You will see any number of folders here, all with seemingly random two letter names. We need to organise these by size, which by default you won’t have enabled.

8. In the Finder, click “View” then “Show View Options”.

view options garage band

9. The View Options will now appear. Tick the “Calculate all sizes” check box. To avoid having to do this at each level, I suggest clicking the “Use as Default” button.

calculate all sizes

10. Once we’ve got the views sorted, we are going to need to drill down via the largest directory sizes to find what we’re after. I’ll show you what I had in my example but it will be very unlikely your directories will be named the same so you may need to go solo through this step.

a. My first level was “lq”.

directories garage band lq

b. My next one was “fwf625f54h52zc0vm3htj1yc0000gn”

directories garage band fw

c. Next I had just “C”

directories garage band c

d. Now this is where we should all be in the same location! Find “com.apple.garageband10″ (or “com.apple.logicpro…” if you’re grabbing Logic Pro content packages).

directories garage band 10

11. Open this directory and you should see an overly large one, in the example this is called “com.apple.MusicApps”. Open this.

directories music apps

12. Inside this there will be a directory called “audiocontentdownload.apple.com”. Open this (nearly there…)

directories audio content download

13. Inside this last directory is another called (in the example’s case) “lp10_ms3_content_2013″. Open this.

last directory

14. And hey presto! There are your content packages, all neat and ready to be pushed out.

all content packages

15. Organise it by size (or type) and grab all them all (14 in this case)!

organise by type

Credit

Now I have to be honest and say that I did not figure this out myself but rather by ‘standing on the shoulders of giants’. I found the information around a year or two ago and for the life of me, I cannot remember exactly where. Other than it was either:

So if anyone finds out whereabouts it’s mentioned, please comment below and I’ll update the blog.

Summary

I hope this help anyone else who has to push out content packages to find and grab these as needed. This has worked for me for Mavericks and Yosemite so looks good so far!

As always, if you have any questions, queries or comments, let us know below and I’ll try to respond to and delve into as many as I can.

Disclaimer:
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Best practices in 2015: Managing settings in Mac OS X & iOS

To continue our best practices series for 2015, this time around I’d like to describe the methods for settings management.

This is focusing on the central management of settings for the Mac OS such as the login window layout, and for installed applications such as Microsoft Word or GarageBand although also includes iOS.

Why manage settings?

For some people reading this, you may wonder why you need to manage device settings at all. There are scenarios where you might not want to do this. If you are working on your own and are using a Mac, any settings you configure would be applied directly to the OS via System Preferences, etc., or within the preferences screens of the apps you use.

If you are responsible for multiple devices, from 3-4 to thousands, you will be interested (albeit from differing perspectives) in controlling certain settings from a single administrative point.

In an education scenario, there are often labs of shared computers that have lots of different people logging in. As the classes are time constrained, it is important that each new user logging in is able to launch the application relevant to their lesson with the minimum of steps.

You don’t want the user to launch Microsoft Word and have it present them with a series of questions about joining customer improvement programs and whether or not to automatically update. You just want to load the app so they can get to work. To achieve this, you need a way to manage the settings.

In a business scenario, device deployments are generally one-to-one so refining the individual app settings can be less important. You may, however, want to ensure that certain security settings are enabled, and stay enabled. Enforcing options such as GateKeeper, FileVault, and screensaver passwords and making sure that users either can’t switch them off is important.

What methods should you use to manage settings?

To configure most of the settings in Mac OS X, there are two core techniques, shell command / scripts and configuration profiles. It can be argued that it shouldn’t matter what technique you use as long as you achieve your goal, but it’s worth noting that most settings will be significantly easier to configure with one or the other.

You may notice that I am not discussing the tools you use to deploy these settings. These will be mentioned a little later on, so for the moment we are focusing on the underlying core techniques.

Why aren’t we including MCX / Workgroup Manager / Open Directory in this article?

We have been in a bit of a transition period over the past few years from something called MCX to MDM and configuration profiles. If you visit a school that had Macs installed 3-4 years ago you will typically find an Apple server running Open Directory (which holds the management settings) and Workgroup Manager (an app that lets you configure the settings).

Apple has been pushing the use of configuration profiles since the release of 10.7 (Lion) and has now dropped support for Workgroup Manager so it is safe to say if you are working out how to manage settings in 2015 (or later), you won’t be using Open Directory and its associated tools.

The last reason is the lack of iOS support. It is becoming increasingly important to control the settings for all Apple devices, which is the key reason Apple have replaced Workgroup Manager with Profile Manager.

Features you need to include when implementing your management system

There are a few features you need to think about including when you are looking to manage settings on your Apple devices.

  • Ability to switch them on and off - You will want the ability to switch these settings on, but you should try to pick a mechanism that will allow you to switch them back off should you need to
  • An ability to push the settings at any point - Where possible, pick a method that allows you to push the settings, not just at the point of initial configuration, but to already deployed devices
  • An ability to adjust the settings after deployment - You may need to adjust the settings once they have been deployed so try and make sure the method you are using can do this
  • An ability to exclude the devices from the scope - You will likely deploy the settings to groups of devices. Make sure you have the ability exclude devices from the scope (and thereby remove the settings) should it be needed
  • An ability to check the success / failure status - You will need to know that your settings have been successfully deployed, or re-deploy if there is an error with some devices.

It’s not always possible to include all of these features with some types of settings but on the whole if you can tick all of these boxes it will be useful later on.

Manage settings with terminal commands

One very popular method to control Mac OS X settings is to use terminal commands. There are lots of examples in the previous blog post “Creating your first boot script”. You can either run individual commands or (as in the first boot example) group a collection of commands into a shell script and push it to your clients. Reversing or adjusting the settings post-deployment would be a case of pushing the altered scripts to the necessary machines.

There are, of course, a few drawbacks with this approach:

  • This is for Mac OS X only
  • In many cases, this is a harder skill to learn (compared to GUI configuration profile tools)

A note about preference caching in OS X

Some of you will have heard of preference caching in OS X. This feature, introduced in newer OS X releases, caches settings stored in preference files. This can interfere with tools that edit preference files directly like the defaults command.

This being said, there are lots of terminal commands that are still very useful, and difficult to replace with other methods, such as enabling Apple Remote Desktop, sysadminctl to create user accounts and systemsetup to set NTP server details.

Getting your terminal commands & scripts deployed

Once you have the commands written into a script, you will need a way to deploy them. Depending on the site, we normally use either the Casper Suite from JAMF Software, which can trigger scripts at login, logout, start-up, recurring check-ins (to name a few), or we use payload free packages (Apple installer packages that run a pre or post install script). With a payload free package you can use other tools like Munki or Apple Remote Desktop as a deployment tool.

Configuration Profiles

The second option for managing settings is to use configuration profiles. These are specifically formatted XML files that contain (amongst other things) a settings payload that can control settings in OS X and iOS. Many popular MDM services like Meraki and Casper have the ability to create and deploy configuration profiles using a simple GUI interface.

A nice feature of configuration profiles is the ability to control custom preference settings in OS X. As they are XML files, you can create them in plain text editors, loaded with the settings you need to enforce. In some MDM products, you are able to upload your customised preference files directly from OS X and have them convert into configuration profiles ready to deploy.

Configuration Profiles are also able to avoid the issues experienced by preference caching.

Getting your configuration profiles deployed

When we have created our set of configuration profiles, we again either use Casper’s built-in MDM functionality or the new abilities built-in to Munki to install them.

You can use most MDM services to deploy the profiles, just bear in mind that some simpler services like SimpleMDM and the free version of Meraki don’t support custom profiles.

Summary

For anyone tasked with managing groups of Macs, large or small, getting to grips with settings management is a must. If it is something you’re considering, I would recommend either terminal commands or configuration profiles.

If you’re looking at using defaults commands (or similar), see if it’s possible with a custom configuration profile to avoid issues with OS X preference caching.

Revise IT announced as a finalist in Surrey Digital Awards 2015

surrey digital awards finalist

Revise IT has come a long way since we launched a series of free revision apps for Apple techs five years ago. Therefore, we are delighted to announce that Revise IT is a finalist in Mobile App Category at the Surrey Digital Awards 2015!

What are The Surrey Digital Awards?

The awards were have been created to “reward innovation and progressive thinking by businesses across the county…” and to provide a “showcase for the hard work of those companies who have embraced online technology.”

Revise IT’s Story

Richard Mallion, our CTO and brains behind the Revise IT app, first came up with the idea when he moved on from writing printer drivers for Mac OS 6 and into development. Once Apple released the SDK, the idea to develop apps for iPhones really grabbed Richard’s attention.

What started out as a hobby, quickly developed into creating apps with a purpose; supporting Amsys and the Mac community. And that’s when the initial revision apps were born.

Consequently, as Richard skills and understanding of iOS development advanced we were able to create our range of now phenomenally popular iOS app development courses!

Revise IT’s Feedback

During its lifetime, Revise IT has received some amazing feedback from the community as well from a number of Apple training companies. As Revise IT was one of the first apps of its kind on the market, it subsequently received a lot of exposure. Both Mac User and Mac World featured Revise IT in their magazines, and it made it to the top 10 on the education list in the App Store.

To date, the App has had around 100,000 downloads!

Revise IT’s Yosemite Update!

When we released 10.9 last year, we were blown away by 18,000 users updating the app almost immediately. For those of you eagerly waiting for 10.10, you’ll be pleased to hear that we’ve just submitted version 10.10 to the App Store. We’re expecting Support and Server Essentials to appear sometime in Feb – Tweet @amsysuk to get an update!

Revise IT’s Future

Last year we included a number of new features, including the ability to share your results on social media platforms along with a new interface for iOS 7. This year, Richard is planning on giving Revise IT a bit of a well-deserved face lift.

Thank You

The awards ceremony is taking place in Surrey on 5th March 2015. And we would just like to thank everyone who has downloaded Revise IT and to the Apple community as a whole as Revise IT wouldn’t exist without you!

Download Revise IT for free here.

Firefox 34 and newer CCK2 lockdown detection Casper Extension Attributes

Hey again!

As mentioned in my previous blog, with version 34 and 35 of Firefox, Mozilla changed the locations for the lock-down files. As a result, my previous Casper Extension Attribute would not correctly detect that the lock-downs are installed for these versions of Firefox.

So I got off my backside and re-wrote it!

Extension Attribute Configuration

The EA configuration is the same as the previous blog , and this should be used.

Extension Attribute Script

Here’s the new script:

firefox 34 extension atrribute configuration

This now breaks down as:

Line 1                         The shebang. Lets the device know it’s a bash script

Lines 4 and 5         The two possible locations for the lock down files

Lines 8 and 9         This section grabs the version number (CFBundleShortVersionString) and strips out all except the first number before the dot.

Line 12                      This runs an ‘if’ statement asking if the number grabbed from lines 8 and 9 above is less than 34

Lines 14 to 17         This echos out the version found, then sets the items to check to the ‘old’ location (e.g. “MacOS”)

Line 18                      If the ‘if’ statement from line 12 is false, another statement runs asking if the number is equal to 34.

Lines 20 to 23       This echos out the version found, then sets the items to check to the ‘old’ location (e.g. “MacOS”) for all except the autoconfig file, which is in the ‘new’ location (e.g. “Resources”)

Line 18                      If the ‘if’ statements from line 12 and line 18 are false, another statement runs asking if the number is greater than 34.

Lines 20 to 23       This echos out the version found, then sets the items to check to the ‘new’ location (e.g. “Resources”).

Line 30                     Close the “if” statement

Line 33                     This runs a multi-input “if” statement. The use of the double pipes (“||”) denotes “or”. If you swapped these for double ampersands (“&&”) is would denote “and”.  So this line says “(if directory ‘$distDir’ does NOT exist) or (if file ‘$overrideFile’ does NOT exist) or (if file ‘$autoconfigFile’ does NOT Exist), do then section between “then” and “else”.

Line 36                     Echo into the Casper EA the word “No”. Essentially if any of those items are missing, then at least part of the customisations are missing and the whole lot should be reinstalled.

Line 39                     Echo into the Casper EA the word “Yes”. If none of those items are missing, then the customisations should be in place and working fine.

Line 40                     Close the “if” statement

Line 42                     Exit the script

Usage

Again, this is identical to my previous blog on this subject.

The only ‘gotcha’ is because of the varying locations; you will need have multiple lock-down installer packages and scope them to devices that are:

a)    Missing the CCK 2 lockdowns

b)    Have Firefox version

  1. 34 for the v34 lockdown package
  2. 35 for the v35 lockdown package
  3. etc

Summary

There you go. I hope it continues to help someone out and saves you some time. As before, attached to this blog is an export of the EA. You can download this, upload it to your JSS and tweak it as desired.

As always, if you have any questions, queries or comments, let us know below and I’ll try to respond to and delve into as many as I can.

Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

The technical interview 101 – Part 1

I wanted to write down some thoughts and experiences with interviewing from both the interviewee and the interviewer perspective, which I will be sharing with you over the next few weeks.

Part 1

We should start with the Interviewer finding the right Candidate(s).

A good interview technique will not turn a BAD candidate into a GOOD one!

As the hiring manager, you should be in complete control over who enters the interview process. I wouldn’t advise leaving this to HR or another colleague to decide. I have always found that the more involved the hiring manager is, the better the quality of candidates.

Your ability to conduct a great interview will make it easy to find the skills that the candidate already possesses, but it will not inject skills that aren’t there.

Today I will share the 3 basic considerations that can improve the quality of candidates to interview.

1.    The Job Posting

The best job postings read like an actual human being wrote them. Not jargon-filled nonsense, with more oxymorons and hyperbole than a Daily Mail editorial.

Your job posting should include the spirit of your organization while expressing the personality of you – the hiring manager. A lot of people struggle to understand that this is your sales pitch to your perfect candidate.

A generic, “HR-speak” filled advert normally attracts generic candidate… BUT a Creative, Passionate and Smart advert will generate Creative, Passionate and Smart candidates.

the technical job advert

2. It’s all about your brand.

Have you seen Glassdoor.com?  This is a site that strikes the fear of god into most HR departments.

Here, employees have the chance to anonymously rate and review their past and current employers. We should all be encouraging our employees to use this site! What a fantastic way to gain a real insight to your employees.

Yes, there will be negatives, even if you gave your employees free Haribo and had Puppy Wednesdays. Of course, there would be someone who hates Puppies and Haribo (strange people)!

But this gives the potential candidate(s) a fantastic insight into your business through your current employees, and will only make your business stronger. Plus, the candidates that you then interview, will already feel like a small part of your business. There’s no point in deceiving candidates if internal issue(s) exist as they won’t stay, and that’s a costly hiring technique.

3. Do the legwork

Hiring is a costly and long process that most managers would rather pass onto somebody else. However, you are the key to your own success!

For this reason, work closely with your recruiter. Notice that I said recruiter and not multiple recruiters!

It may seem like a good idea to pass the job to 5 agencies in order to stand a better chance of finding that perfect candidate. When, in fact, it’s actually the opposite as you’re watering down your offering. You and your recruiter should have a symbiotic relationship.

You will have networks and connections that they don’t, and vice versa. Use the hiring process to develop a good relationship with your recruiter or HR department, which will make processes run smoothly while working with them.

The Interview

So, you have your 2, 3, 5 or 20 candidates to interview, all arranged and ready to go.

Now you and your co-interviewers’ task is to use that 60-minute window with the candidate in the most productive way possible. An hour is not a lot of time to decide on your company’s and the candidates’ fate. But it should be enough to get 80% of the way there. After all, hiring people is always going to be 10-20% luck.

I once read somewhere that the best interview format is 5 mins, 25 mins, 25 mins,5 mins with a 5 min buffer.

  • 5 minute warm up
  • 2/4 big questions or problems (25/12 minutes each)
  • 5 minute wrap up

An uncomfortable or defensive candidate will never show their true potential, and an uncomfortable interviewer will never ask the right questions.

Be nice!

An obvious gesture I know, but you would be surprised how few take on board this tactic.

For instance, say the servers have just fallen over, or your C.E.O has just berated you due to your department’s overspend. DO NOT TAKE THAT INTO THE INTERVIEW WITH YOU!

It’s not the candidates fault that you’re having a bad day; they could be the answer to your problems!

You could choose to take a confrontational edge as the interview progresses, but you will never recover a candidate if they are uncomfortable or defensive from the start.

Ask them about their journey, and then move on to a question about their CV. Alternatively, ask them to choose what they think is the best thing from their CV and get them to describe it to you. This is your chance to help them dominate the conversation and to get them pumped

A great interview is a great collaboration

If the job involves spending time with a team and collaborating together. Then it’s important that the interview is also a collaborative process.

An amazing developer that can only work at home on their own is always going to be less valuable to a business in the long run than a good developer who adds value to the entire team. One of my favorite poems was from my days in the army. My huge, angry and aggressive training corporal readout the following John Donne’s poem to us while we were in the water tank at Lympstone.

water tank at lympstoneNo man is an island,
Entire of itself,
Every man is a piece of the continent,
A part of the main.
If a clod be washed away by the sea,
Europe is the less.
As well as if a promontory were.
As well as if a manor of thy friends
Or of thine own were:
Any man’s death diminishes me,
Because I am involved in mankind,
And therefore never send to know for whom the bell tolls;
It tolls for thee.

Being smart is not enough to build a successful team. 

The candidate has to be comfortable communicating their intellect, skill and knowledge to others by being able to take criticism on board and exchange ideas. Not by forcing colleagues in the direction that they perceive to be right.

The problems and questions you pose should include something about how the candidate will be WORKING WITH YOU on a particular project

E.g. “I need to reorganize the internal IT department, and I want to put you in charge. How would you start?”

It’s important that you act as a guide and to collaborate, but do so from a distance. Answer their questions (it’s a great sign if they ask great questions). But only help them to clarify assumptions. DO NOT answer the questions for them unless they are completely stuck or off-topic and need a little nudge to move on.

interview techniques

Know when to Shut IT

It can sometimes be irresistible to spend the 60 minutes talking, after all, you have a captive audience. I could easily talk at someone for 60 minutes, without even noticing. THE MORE TIME YOU SPEND TALKING, THE LESS TIME THEY SPEND DEMONSTRATING THEIR TALENT!

It’s OK to be chatty and tell stories, just have a reason for it.

Keep Notes

There’s no point in starting the interview process if you’re not clear on what you’re looking for.

I would suggest creating an ordered list of the traits you require. They should be in 2 sections.

  1. How they will fit into the Team/Organization – it would be great if you had input from your existing team.
  2. How they will fit into the role in order to succeed.

You should think of yourself as an integrator (a friendly one, let’s say “good cop”). Who is trying to create problems and questions that discover whether the desired skills/talent/traits exists.

Even if hidden, you will find out in that hour.

In my opinion, this is the only attitude that will maximize your chances in making that perfect hire. You do not need to be confrontational or give a tough interview to achieve this – the opposite, in fact. It should be the quality of your questions and your attitude that makes an interview tough.

In the next part, I will go into:

  • Interview questions
  • Concluding the interview
  • The feedback process

OS X Yosemite hidden feature series – Part 2

os x yosemite hidden features part 2

Following on from Part 1 in this Yosemite series, looking at features of Yosemite that are not so well known or perhaps even hidden, Part 2 will focus on added features to the Apple Safari web browser app.

Apple have spent a lot of time on their web browser, and it really is a strong competitor now. And today, I’ve grabbed my favourite little gems!

New Feature 1: Recent Safari Browser History Removal

Previously, Safari would only allow you to remove your browsing history as an all or nothing feature. The only option to clear out recent browser history was to show all your browser history and manually select and delete required websites. A bit of a laborious task.

Well, Yosemite has stepped into change all that. Now you can choose to delete just your last hour of browser history, or perhaps just everything from today, or even the last 48 hours. You can, therefore, preserve your long-term web history while just removing more recent history. I won’t start speculating on the reasons why people may wish to clear out just their last hour or so of web browser history! ;)

So, how do we do this?

Pretty simply actually. In Safari, select the main ‘Safari’ menu or the ‘History’ menu and you will see the option for ‘Clear History and Website Data…’

clear safari browsing yosemite

Once selected, you can choose options from the pull down menu for how much browser history to clear:

clear history preferences safari yosemite

Don’t forget that you can always clear custom-selected browser history by selecting ‘Show History’ from the ‘History’ menu and selecting and deleting just the specific browser links you wish.

New Feature 2: New Private Window

Safari has had a Private Browsing feature for a while. However, it was again an all or nothing option.

If you wanted to browse the web on a computer without Safari tracking what web pages you’ve visited, adding cookies or saving the passwords you’re entering. You had to enable Private Browsing for ALL web tabs and windows and then remember to disable it afterwards.

Yosemite’s Safari has made Private Browsing more convenient.

You can now just enable it in a new browser window, allowing you to perform your unmonitored browsing in one window while leaving all your usual websites open in other windows.

Again this is easy to do once you know how. Just select the ‘File’ menu and choose ‘New Private Window’ (or use the keyboard shortcut of SHIFT + COMMAND + N):

private browsing in safari yosemite

This will open a new Safari browser window that will have private browsing enabled:

private browsing enabled yosemite

Any browsing you perform within this window, including any tabs you create and use, will have its history, cookies and other info deleted once you have closed the window. Plus any tabs you open, will not appear on your other devices if you are using the same iCloud account on multiple Apple devices. (Refer to ‘New Feature 3: Handoff’ from Part 1 in this blog series for more info on this feature).

Any Browser windows you had open prior to opening this new private window, along with any new windows you open with the usual ‘New Window’ or ‘COMMAND + N’ keys, will still work as normal, by auto-filling in your usernames and passwords, creating browser history etc.

As you can see below, this new private window has a dark coloured search field instead of Safari’s default clear white colour. This allows you to remember easily which Safari window is the private browsing window:

private browsing yosemite

New Feature 3: Viewing all Safari Tabs

I’m a big lover of Web tabs instead of having multiple browser windows open. Safari now has a nice feature to show you a clear view of all currently opened tabs in the current window. To do this, you could select ‘Show All Tabs’ from Safari’s ‘View’ menu or use the shortcut keys of ‘SHIFT + COMMAND + \’. But the easiest way, is to select the ‘Show all Tabs’ icon as highlighted in red below:

view all tabs in safari yosemite

Now I have 4 tabs open, 2 of which are from the same website. This new view has a handy feature where it will group Tabs from the same website. (See in the image below that the 2 tabs from www.amsys.co.uk are stacked together.)

Even better, if like me you have a Mac but also an iPhone or an iPad signed into the same iCloud account, this Show All Tabs feature will also show you any open tabs on any of your other iOS devices or even another Mac. (Notice that in the image below it shows the iCloud icon and the name of my iPhone along with the Safari tabs I’m using on my iPhone.)

view all open tabs on devices yosemite

If I now hover my mouse over these tabs from other devices, an ‘X’ will appear on the right allowing me to close those tabs on that device:

close tabs on other devices yosemite

New Feature 4: Recent Share History
yosemite share icon
Nice little titbit this one.

If you use the ‘Share’ icon in the Safari menu bar to send web information to someone either as a message, email, etc., Safari now has a ‘recents’ list. Handy for when you regularly share webpage links with the same person. It will also remember for you HOW you share with that person.

In the below example, I have shared a weblink as an iMessage to myself, which has been sent to my iPhone :

share via safari yosemite

New Feature 5: Favourites View

Most of us regularly visit the same core collection of websites every time we go online. Safari can now learn these for you, allowing you to choose quickly from a ‘favourites’ list.

safari favourites view icon

You can select the ‘favourites view’ icon (see right) in the Safari toolbar, but if you also click on the Smart Search field (where you enter a URL or perform a web search), a grid of icons will then appear displaying your favourite websites and frequently visited websites:

favourites view safari

You can drag out any favourites that you want to delete from the list with the usual ‘puff of smoke’ effect as well as re-order them should you wish.

Should you wish to remove this feature, select the Safari main menu and open the Preferences. Go to the ‘Search’ tab and un-tick the ‘Show Favorites’ option:

remove favourites view yosemite

New Feature 6: Importing bookmarks into Safari

Importing your bookmarks from other web browsers was sometimes not that easy. Even requiring exporting an HTML file first. Safari in Yosemite has improved importing.

You can easily now import Google Chrome or Mozilla Firefox’s configuration files. All you need to do is go to the ‘File’ menu and select ‘Import From’:

import bookmarks safari yosemite

The sub-menu will offer you dedicated options for importing from Chrome and Firefox, as well as the HTML import option:

import chrome firefox safari

Safari supports importing bookmarks, history and passwords from Firefox and bookmarks and history from Chrome:

import bookmarks history passwords safari

New Feature 7: RSS Returns!

In years gone by before social networking kicked off, I used to love using Safari to subscribe to news feeds known as RSS. With the introduction of OS X Mountain Lion, this feature was removed. After the initial moaning, I got over it and found other ways to keep up to date such as following news feeds on Twitter.

For those of you that would like to return to using RSS, Safari in Yosemite has integrated RSS feeds into the Shared Links feature and can also grab links from your Twitter and LinkedIn feeds.

Just click on the RSS link within any website and Safari will bring up a window asking if you would like to add this feed to your Shared Links:

rss feeds safari yosemite

sidebar icon yosemite Once you have added the feed to access your Shared Links, select the Sidebar icon in the Safari toolbar, which is usually next to the back/forward icons (see right), then select the @ icon. Or you can select ‘Show Shared Links Sidebar’ from Safari’s ‘View’ menu. (CONTROL + COMMAND + 3 will also do the trick).

If you have logged into social media accounts such as Twitter and LinkedIn, these will also have their feeds displayed here:

social media rss safari yosemite

apple hot new rss feed safari

Shared links are displayed by the date that they were posted. So you may find RSS feeds and social media feed posts merged.

If you want to remove a site from the Shared Links, follow the steps above to return to the @ tab of the Safari sidebar, and then click on the ‘Subscriptions’ button at the bottom:

remove site from shared links safari

remove feeds from safari

To remove a social media feed, un-tick the box. To remove a RSS feed, select the ‘X’ icon to the left of the feed.

New Feature 8: Clever Searching

Safari has gained the ability to ‘learn’ when you use a search field in any website. You can then use a website’s search feature directly from the main Safari URL/search bar without having to re-visit the specific site first.

Sometimes, Safari is so clever that you may not even need to visit a website and use its search field for Safari to offer you a website’s search field directly in the menu bar.

How can I explain this clearly? Well, a demo usually works.

Imagine that I have Googled the Apple Watch. I have then clicked a link to the Apple website where I have used the search field inside Apple’s webpage (The Magnifying Glass icon) to find all articles hosted directly on Apple’s website regarding the watch:

clever searching safari

Safari will now have learned that I have searched within www.apple.com for the term ‘watch’.

I can now perform this same search quicker next time by simply typing in ‘apple watch’ into Safari’s main smart search field as shown below:

smart search field safari

Notice that Safari has suggested www.apple.com/uk/watch/ and as well as searching discussions.apple.com for ‘watch’ which is exactly what I did manually.

Want to remove this feature?

Select the Safari main menu and open the Preferences. Go to the ‘Search’ tab and un-tick the relevant option(s):

remove safari smart search

Quick Website Search has a ‘Manage Websites’ button that allows you to view and remove the website that it has remembered you used in their internal search systems:

quick website search safari

New Feature 9: Where’s the full URL gone?

Finally, I wanted to mention a cheeky trick Safari now does with URL names. It now only shows you the main URL of a site or its domain name.

The idea here is to protect users from phishing scams by showing you just the base URL a web link has come from.

For example, if I visit https://www.apple.com/watch/apple-watch-edition/ and look at the Safari address bar, all I will see is ‘Apple Inc’:

short urls sarfari

Now the good news is that I now know that the link I am going to is officially from Apple. But I can’t see the full URL. Now you can just click on the base URL info, and it will expand to give you the full URL address. But if you wish to see the full URL by default, you just need to know where to enable it.

Select the Safari main menu and open the Preferences. Go to the ‘Advanced’ tab and Tick ‘Show full website address’:

see ful url safari

I hope you are finding this blog series useful, the features i am discussing are just a collection of the ones that i have discovered and found useful and is not a complete feature list.

Remember, Apple has a decent overview of the main new features of OS X Yosemite on their website.

Watch this space for more in this series!

Don’t forget, if you would like to learn more about OS X or just the Mac in general, then take a look at our collection of introductory training courses.

We also have a large collection of Mac Support and iOS IT courses, which you may also find useful.

Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

These features were tested using OS X Yosemite v10.10.1 and iOS v8.1.2 which were the latest Mac OS and iOS releases at the time of writing.

Exporting Users from OS X Server for Yosemite

With the release of OS X Server for Yosemite, Apple retired Workgroup Manager, thus leaving us System Admins no GUI method of exporting users and groups out of the server.

The old Workgroup Manager tool gave us the ability to both export and import users / group records, the Server app can just import users.

But not all is lost. We have a bunch of command line tools that allow us to interact with the user directories. In particular we have the dsexport command.

dsexport allows us to export records from our user directories to compatible files that the Sever app can use.

The command has the following three main arguments:

  • The path to the output file you wish to create
  • The path to the OpenDirectory node that contains the records you wish to export
  • The type of records we wish to export.   For example, dsRecTypeStandard:Users  or  dsRecTypeStandard:Groups

There are a couple of additional arguments you can supply, which include the ability to filter certain attributes for each record you wish to exclude and also a list of records you wish to export.

Exporting Users:

So, here are a few examples of exporting users.

1. To export all users from the local directory to a file called “exportedUsers.out”

dsexport   exportedUsers.out   /Local/Default   dsRecTypeStandard:Users

2. To export all users from the OpenDirectory LDAP node to a file called “exportedUsers.out”

dsexport   exportedUsers.out   /LDAPv3/127.0.0.1   dsRecTypeStandard:Users

By default, all users are exported, including system, accounts. There’s nothing stopping you from editing this file and removing any accounts you wish. However, you can supply a list of users you wish to export with the -r parameter.

3. To export any user whose name is richard or oliver from the OpenDirectory LDAP node to a file called “exportedUsers.out”

dsexport   exportedUsers.out   /LDAPv3/127.0.0.1   dsRecTypeStandard:Users  -r  richard , oliver

Exporting Groups:

Here are a few examples of exporting group records.

1. To export all groups from the local directory to a file called “exportedGroups.out”

dsexport exportedGroups.out /Local/Default dsRecTypeStandard:Groups

2. To export just the admin and staff group from the OpenDirectory LDAP node to a file called “exportedGroups.out”

dsexport   exportedGroups.out   /LDAPv3/127.0.0.1  dsRecTypeStandard:Groups -r admin , staff

Importing:

Once you have generated these files, you can then import them back into a new / replacement server if required.

  • You can use the Server app and import the file using the GUI
  • Or you can use the dsimport command line tool.

In its basic form, dsimport just requires:

  • The path to the text file you wish to import
  • The path to the directory node you wish to import into

As well as these basic two arguments, we also have some nice options to handle conflicts:

O    overwrite any records that have the same ids

M  Merge import date with existing records, or create the record if it does not exist

I  Ignore records that have conflicting ids

So to reimport our file, but ignore records that already exist we could use:

dsimport exportedUsers.out /LDAPv3/127.0.0.1  I

Thanks for reading, I hope that this blog is of some use.

Changes to CCK 2 usage with Firefox 35

Hello again. Apologies in advance for another blog on Firefox but with a combination of frequent updates and Mozilla (again) changing where the files need to be placed to use CCK, I felt it was needed.

*Sigh* Firefox is starting to feel like Adobe Flash Player… [/personal whine]. To take full advantage of this blog, please open this page in another tab too.

Introduction

Firefox Version: 35.0.0
CCK Version: 2.0.9
Date written: 15/01/15

The first of the latest change was actually with version 34, where the Mozilla developers changed where the “/Defaults/Firefox/Contents/Resources/defaults/pref” files go. These were shifted to “./Firefox.app/Contents/Resources/” instead of “./Firefox.app/Contents/MacOS/”.

With the latest version (v35), now ALL of the CCK produced files need to go into this new location.

First: Credit where credit is due

Previously, I’ve had to discover the majority of this information through trial and error and a lot of Googling, hence my effort to document my findings. However, at the start of December I found I wasn’t alone! A thread on JAMF Nation started by Tim Arnold documented the changes to CCK use with Firefox version 34.

Following on from this, a number of others contributed to show their own methods and information for CCK 2 usage, including that for Firefox version 35 once released.

It is from this forum thread the vast majority of the information below has been obtained.

So…what’s new?

Right, to prepare Firefox v35 for deployment, firstly I recommend following my previous blog “Locking down Firefox with CCK 2″ until step 47.

Here, replace step 47 with:

Navigate to the “Contents” > “Resources” folder within the bundle.

This new location will have all of the usual files previously located in “Contents” > “MacOS”. Once here, dump / install the CCK 2 files as directed in the remainder of the previous post. It should result in something like the below screenshot (depending on the lock downs you’ve configured):

change to cck2 firefox 35

Testing

This new location will have all of the usual files previously located in “Contents” > “MacOS”. Once here, dump / install the CCK 2 files as directed in the remainder of the previous post. It should result in something like the below screenshot (depending on the lock downs you’ve configured):

Summary

Thanks for taking the time to read my latest in a line of never ending Firefox posts! : P

As always, if you have any questions, queries or comments, let us know below and I’ll try to respond to and delve into as many as I can.

Disclaimer:
While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Creating your first boot script

Why create a first boot script?

Anyone who is using the modular deployment technique will have hit the first stumbling block very early on. If you’re deploying an unbooted, unconfigured OS, how do you get it past the Apple setup assistant? After getting past this hurdle, lots of other questions start cropping up like “how do I get the Mac localised for my geographical region?” and “how do I add a local admin account?”

There are a bunch of different approaches people are using but the most popular by far is a first boot script. This is a script that is set to run on first boot, after the OS has been deployed / installed, that sets up all of these extra items so the Mac is ready for use.

Why should I build my own and not just use one I find on the Internet?

There are lots of good sources of example first boot scripts shared by the community and as long as you trust the source there is nothing wrong with using what you find. The goal of this blog is to demystify some of the first boot script contents and help you to learn how to create your own, or at the very least, understand the code that is included in others.

What language should you use for the script?

Technically speaking, any language that the Mac can understand would be OK. I generally use bash as it has most of the commands I need already built-in.

Most of the examples I’ve seen posted by other Mac admins have been in bash so although you could go for perl, python or something else, you may find getting help with tricky problems a bit of a challenge (I’m sure some perl and python masters out there will strongly disagree but this is just my opinion!)

What should I use to write the script?

You need a simple text editor for this task. I would avoid applications like TextEdit and definitely stay away from Word or other word processing apps. I have used Fraise for quite a few years and have recently started using Sublime Text. Other good options are Text Wrangler and BBEdit. In addition to these being basic text editors, they color code your text really nicely so you can see what’s a variable, a string, a comment etc.

a good text editor

User Template and Existing Users

There are quite a few settings that are per-user.  This means that some settings are stored in a preference file in each users home folder (i.e. /Users/dave/Library/Preferences/co.uk.amsys.mygreatsetting.plist, rather than /Library/ Preferences/co.uk.amsys.mygreatsetting.plist).

As a lot of you will already know, home folders are (by default) stored in /Users and when a new user logs in, the home folder is created from the template in /System/Library/User Templates.  There are a few different techniques people like to use to get their custom settings into the users home Library:

  • Use a LaunchAgent to write in the setting during login - This is a newer technique and it involves adding the settings to a script that will run at login, rather than as a first boot item. I have to say that I’m not a fan of this method mainly due to its consistency.  There is a lot going on at login and in the past I have had mixed results trying to configure user level settings quickly enough for them to always apply for every user at every login.
  • Write the data into the user template - This is my current preferred method.  Run the commands as part of the first boot script straight into the user template folders.  Any new users will then get these settings by default.

If you do use the user template method, you may need to write the data into any pre-existing home folders (for any users that logged in before you made the change).  In theory, if you have just deployed the Mac, there shouldn’t be any, but it is worth including the code so you can also use it on machines that have been in use for a while. 

My method for this is to loop through any folders found in /Users (as documented here). 

Some people have commented that it is better to read the value from the directory service.  That would also work, although it would pick up all of the system users, which would then need excluding.  My personal preference is to just go for what’s in /Users.  If I put the homes in a non-standard location, I can easily change the path for that particular environment).

I wanted to include this explanation regarding users and preferences in home folders so it adds some context around the code included in this blog.  There’s no particular right or wrong way really so go for which every method you prefer, as long as you get to where you need to be.

Commands Used

In my first boot scripts, the main commands I’m using are:

  • /usr/sbin/sysadminctl - Available in 10.10.x, used to add local accounts
  • /usr/sbin/systemsetup - Used to set NTP servers, time zones and other clock options (and lots of other things)
  • /usr/libexec/PlistBuddy - Used for reading and writing data into xml arrays
  • /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart – ARD command-line tool
  • /usr/bin/defaults – Used to read and write xml keys in plist files
  • /usr/sbin/spctl - For switching Gatekeeper on and off

Other Unix Features

  • Functions – Used to simplify the repetition of chunks of code
  • Loops – Used to repeat code based on pre-defined criteria (in this case the contents of folders)

A Quick Note About The Loops Used in The Example Script

You will notice in our example that we run very similar loops over and over again.  This isn’t necessarily the most efficient use of the code, which could be shorter.  The main reason for laying it out this way is to make each section of the script self-contained. 

This will enable you to chop out specific sections that interest you.  In reality, when we are writing a series of commands into the user template folder and existing user home folders, we would run them all in a single loop.  In this example we didn’t want you to have to find the bits you need hidden amongst other lines of unrelated code.

First boot script, step-by-step

Creating a local admin account

There are a couple of ways you can go about creating a local admin user.  One of my favorites for the past year or two has been CreateUserPkg.  This app lets you specify the account details and will generate a pkg from the resulting code that you can include in your deployment workflow.  Prior to this I was running a series of unfriendly dscl commands so this was much easier.

Since 10.10, a new command-line binary has been included called sysadminctl.  This binary lets you create and manage local user accounts.  In my 10.10 first boot script I just include a line like this:

sysadminctl -addUser localadmin -fullName “Local Admin” -UID 499 -password “apassword” -home /var/localadmin -admin

As this is a new command, here is the step-by-step breakdown:

  • Specifying the unix command to run: sysadminctl
  • Telling it I want to add a user account with the name “localadmin”: -addUser localadmin
  • Telling the command that I want the fullname to be “Local Admin”: -fullName “Local Admin”
  • Setting the UID to 499 (classed as a system account below 500): -UID 499
  • Setting a password: -password “apassword”
  • Specifying the home folder location (in a hidden directory): -home /var/localadmin
  • Specifying that I want the account to be an admin: -admin

Setting time zone and time server

There are a few different steps needed to get the time configured. For each of these commands we are using the systemsetup command line tool.  systemsetup can configure all sorts of things like sleep settings, the time, and the computer name. To see all of its options use systemsetup -help.

For our first boot script, first we need to set the time zone:

/usr/sbin/systemsetup -settimezone "Europe/London"

You can use systemsetup -listtimezones to get a full list of the available time zones.

Next I set the Mac to use a time server.  This isn’t specifying the actual time server (that’s in the next command), but rather its just saying “use a time server”:

/usr/sbin/systemsetup -setusingnetworktime on

Finally I tell the Mac which time server to use:

/usr/sbin/systemsetup -setnetworktimeserver "ntp.amsys.co.uk"

If you’re not sure which time server to use, you can always set it to your AD domain controller (if you have one) as they are configured to be time servers by default.

Region, keyboard and language

There are three separate elements we have to work on:

  • The keyboard layout
  • The language
  • The region (for the default currency etc.)

In this example I’ll be setting the Mac to use the British keyboard layout, en language and en_GB region.

The Keyboard Layout

This first part (in fact all three parts of the localization settings) require the use of plistbuddy.  This is because the data is stored in arrays.  While it might be possible with the defaults command, plistbuddy is the right tool for the job.

This part of the script is broken into two parts, first we create the function that will perform the actual task:

 
PLBUDDY=/usr/libexec/PlistBuddy
NAME="British"
LAYOUT="2"
 
update_kdb_layout() {
  ${PLBUDDY} -c "Delete :AppleCurrentKeyboardLayoutInputSourceID" "${1}" &>/dev/null
  if [ ${?} -eq 0 ]
  then
    ${PLBUDDY} -c "Add :AppleCurrentKeyboardLayoutInputSourceID string com.apple.keylayout.${NAME}" "${1}"
  fi
 
  for SOURCE in AppleDefaultAsciiInputSource AppleCurrentAsciiInputSource 
AppleCurrentInputSource AppleEnabledInputSources AppleSelectedInputSources
  do
    ${PLBUDDY} -c "Delete :${SOURCE}" "${1}" &>/dev/null
    if [ ${?} -eq 0 ]
    then
      ${PLBUDDY} -c "Add :${SOURCE} array" "${1}"
      ${PLBUDDY} -c "Add :${SOURCE}:0 dict" "${1}"
      ${PLBUDDY} -c "Add :${SOURCE}:0:InputSourceKind string 'Keyboard Layout'" "${1}"
      ${PLBUDDY} -c "Add :${SOURCE}:0:KeyboardLayout\ ID integer ${LAYOUT}" "${1}"
      ${PLBUDDY} -c "Add :${SOURCE}:0:KeyboardLayout\ Name string '${NAME}'" "${1}"
    fi
  done
}

This function will delete the current keyboard layout entry (if present) and add in the new entries.

Next we set the keyboard layout in /Library/Preferences and in each user’s home directory. The setting is stored in the com.apple.HIToolbox.plist file.

update_kdb_layout "/Library/Preferences/com.apple.HIToolbox.plist" "${NAME}" 
"${LAYOUT}"
 
for HOME in /Users/*
  do
    if [ -d "${HOME}"/Library/Preferences ]
    then
      cd "${HOME}"/Library/Preferences
      HITOOLBOX_FILES=`find . -name "com.apple.HIToolbox.*plist"`
      for HITOOLBOX_FILE in ${HITOOLBOX_FILES}
      do
        update_kdb_layout "${HITOOLBOX_FILE}" "${NAME}" "${LAYOUT}"
      done
    fi
done

Setting the OS language

Similar to the keyboard layout, we create a function to set the language:

LANG="en"
 
update_language() {
  ${PLBUDDY} -c "Delete :AppleLanguages" "${1}" &>/dev/null
  if [ ${?} -eq 0 ]
  then
    ${PLBUDDY} -c "Add :AppleLanguages array" "${1}"
    ${PLBUDDY} -c "Add :AppleLanguages:0 string '${LANG}'" "${1}"
  fi
}

Then we use a loop script to write the value into /Library/Preferences and each user’s home folder. The language setting is stored in the .GlobalPreferences.plist file.

update_language "/Library/Preferences/.GlobalPreferences.plist" "${LANG}"
 
for HOME in /Users/*
  do
    if [ -d "${HOME}"/Library/Preferences ]
    then
      cd "${HOME}"/Library/Preferences
      GLOBALPREFERENCES_FILES=`find . -name "\.GlobalPreferences.*plist"`
      for GLOBALPREFERENCES_FILE in ${GLOBALPREFERENCES_FILES}
      do
        update_language "${GLOBALPREFERENCES_FILE}" "${LANG}"
      done
    fi
done

Setting the region

Finally we need to set the region (for default currency and a few other values).

As before, it’s another function:

REGION="en_GB"
 
update_region() {
  ${PLBUDDY} -c "Delete :AppleLocale" "${1}" &>/dev/null
  ${PLBUDDY} -c "Add :AppleLocale string ${REGION}" "${1}" &>/dev/null
  ${PLBUDDY} -c "Delete :Country" "${1}" &>/dev/null
  ${PLBUDDY} -c "Add :Country string ${REGION:3:2}" "${1}" &>/dev/null
}

Followed by a script to set the values in /Library/Preferences and each user’s home:

update_region "/Library/Preferences/.GlobalPreferences.plist" "${REGION}"
 
for HOME in /Users/*
  do
    if [ -d "${HOME}"/Library/Preferences ]
    then
      cd "${HOME}"/Library/Preferences
      GLOBALPREFERENCES_FILES=`find . -name "\.GlobalPreferences.*plist"`
      for GLOBALPREFERENCES_FILE in ${GLOBALPREFERENCES_FILES}
      do
        update_region "${GLOBALPREFERENCES_FILE}" "${REGION}"
      done
    fi
done

Apple Remote Desktop

Apple Remote Desktop has a number of options available that can be configured via a first boot script. The command-line tool is buried in the System Library so it is worth setting its location to a variable to make the other commands a bit more readable:

ARD="/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart"

First off we will need to switch ARD on:

$ARD -configure -activate

Next we need to lock the service down to specific users and decide what they can and can’t do.

$ARD -configure -access -on
$ARD -configure -allowAccessFor -specifiedUsers
$ARD -configure -access -on -users localadmin -privs -all

These options will enable access for the Macs local accounts, ensure that only the specified users can get access, and then sets specific options for the localadmin account.

The -privs all tells ARD that localadmin is allowed to use all of the sub-options available in ARD. Other options for -privs include:

-none
-DeleteFiles                                                                     
-ControlObserve                                                                 
-TextMessages                                                                   
-ShowObserve                                                                     
-OpenQuitApps                                                                    
-GenerateReports                                                                 
-RestartShutDown                                                                 
-SendFiles                                                                            
-ChangeSettings                                                                  
-ObserveOnly    
-mask <mask>

It is important to ensure that ARD can only be used by specified users. This is due to a security loophole with the “all users” option. When ARD is set to allow all users, this includes all users in any directory the target Mac is bound to. In the ARD app, you can send Unix commands as the root user. If all users are allowed to use ARD, this means that a non-admin domain user could send root commands to the Mac.

There are a lot more options available in the kickstart binary. Use the -help option to see the full list.

Tip: Make sure you include the ARD code AFTER creating the local admin user account (it can’t give access to a user that doesn’t exist).

Enabling SSH access

Either in addition to, or instead of ARD, you can enable SSH access with the following command:

systemsetup -setremotelogin on

Setting up the Login Window

There are a few options we normally configure for the Login Window.

First off we like to set it to username and password text fields rather than displaying a list of local users. This can be set with a one-line command:

/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow SHOWFULLNAME -bool 
true

The second change is to allow admin host information to be visible. When this is enabled, you can click the hostname in the top right corner of the screen to get other information such as the Mac’s IP address:

/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow AdminHostInfo 
HostName

Finally, we disable External Accounts at the Login Window. External Accounts were introduced with an earlier version of Mac OS X (I can’t remember exactly which one but it was around 10.5) that allows you to store a user account and its home folder on an external drive. When you plug in the drive (after entering admin account details), the user can log in with the external account.

This isn’t a feature we want enabled so we disable it with the following command:

/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow 
EnableExternalAccounts -bool false

Disable iCloud Setup at login

The next alteration is to stop the iCloud setup screen appearing when users log in to the Mac. This is particularly useful in education environments as the students would not normally (certainly in shared device setups) need to login with an iCloud account.

This setting has always been a little tricky to configure as it changes depending on the OS version of the Mac. Thanks to Rich Trouton’s code, the following information can be written into the com.apple.SetupAssistant.plist file in each user’s home folder:

First we get the OS version and save the info into a variable:

osvers=$(sw_vers -productVersion | awk -F. '{print $2}')
sw_vers=$(sw_vers -productVersion)

Next we write the value into the files in the user template:

for USER_TEMPLATE in "/System/Library/User Template"/*
	do
    /usr/bin/defaults write 
"${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool 
TRUE
    /usr/bin/defaults write 
"${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
    /usr/bin/defaults write 
"${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant 
LastSeenCloudProductVersion "${sw_vers}"
    /usr/bin/defaults write 
"${USER_TEMPLATE}"/Library/Preferences/com.apple.SetupAssistant 
LastSeenBuddyBuildVersion "${sw_build}"
	done

Finally we write the value into any existing user home folders in /Users:

for USER_HOME in /Users/*
	do
		USER_UID=`basename "${USER_HOME}"`
		if [ ! "${USER_UID}" = "Shared" ] 
		then 
		if [ ! -d "${USER_HOME}"/Library/Preferences ]
		then
			mkdir -p "${USER_HOME}"/Library/Preferences
			chown "${USER_UID}" "${USER_HOME}"/Library
			chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
		fi
		if [ -d "${USER_HOME}"/Library/Preferences ]
		then
			/usr/bin/defaults write 
"${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant DidSeeCloudSetup -bool 
TRUE
			/usr/bin/defaults write 
"${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant GestureMovieSeen none
			/usr/bin/defaults write 
"${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant LastSeenCloudProductVersion "${sw_vers}"
			/usr/bin/defaults write 
"${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant LastSeenBuddyBuildVersion "${sw_build}"
			chown "${USER_UID}" 
"${USER_HOME}"/Library/Preferences/com.apple.SetupAssistant.plist
		fi
	fi
	done

Disable diagnostics at login

A second prompt that OS X has started offering at login is whether the user would like to submit diagnostic information. In a lot of our setups this isn’t something we want to ask the user so we disable it using a similar method to iCloud, although in this case we are back to plistbuddy as the information is stored in an array:

We normally use two variables for submitting info to Apple and to developers. This is just to make it easy to toggle them on and off as needed:

SUBMIT_TO_APPLE=NO
SUBMIT_TO_APP_DEVELOPERS=NO

Then the main body of the script:

PlistBuddy="/usr/libexec/PlistBuddy"
os_rev_major=`/usr/bin/sw_vers -productVersion | awk -F "." '{ print $2 }'`
if [ $os_rev_major -ge 10 ]; then
  CRASHREPORTER_SUPPORT="/Library/Application Support/CrashReporter"
  CRASHREPORTER_DIAG_PLIST="${CRASHREPORTER_SUPPORT}/DiagnosticMessagesHistory.plist"
 
  if [ ! -d "${CRASHREPORTER_SUPPORT}" ]; then
    mkdir "${CRASHREPORTER_SUPPORT}"
    chmod 775 "${CRASHREPORTER_SUPPORT}"
    chown root:admin "${CRASHREPORTER_SUPPORT}"
  fi
 
  for key in AutoSubmit AutoSubmitVersion ThirdPartyDataSubmit 
ThirdPartyDataSubmitVersion; do
    $PlistBuddy -c "Delete :$key" "${CRASHREPORTER_DIAG_PLIST}" 2> /dev/null
  done
 
  $PlistBuddy -c "Add :AutoSubmit bool ${SUBMIT_TO_APPLE}" 
"${CRASHREPORTER_DIAG_PLIST}"
  $PlistBuddy -c "Add :AutoSubmitVersion integer 4" 
"${CRASHREPORTER_DIAG_PLIST}"
  $PlistBuddy -c "Add :ThirdPartyDataSubmit bool ${SUBMIT_TO_APP_DEVELOPERS}" 
"${CRASHREPORTER_DIAG_PLIST}"
  $PlistBuddy -c "Add :ThirdPartyDataSubmitVersion integer 4" 
"${CRASHREPORTER_DIAG_PLIST}"
fi

Disable Time Machine Popups Offering for New Disks

When you plug in an external drive to a Mac, it will automatically offer to use it as a Time Machine destination. While most users would know which option to select, it is often not worth the risk. You can disable Time Machine offering new disks for backup with the following command:

 /usr/bin/defaults write /Library/Preferences/com.apple.TimeMachine 
DoNotOfferNewDisksForBackup -bool true

Turn off Gatekeeper

This is possibly a questionable command from a security perspective. Personally I like to keep Gatekeeper in its strictest setting, as I can manually allow new apps if needed. In some situations however you may want to disable Gatekeeper so that your install PKGs and other apps can run without warning messages. To configure this setting use the following command:

spctl --master-disable

This is only advisable if you have good control over who can run and install what on the Macs. If your users are admins, or if they use the Macs on unfiltered Internet connections, this might not be such a good idea.

For more information about Gatekeeper, take a look at these previous blogs:

Turn on right-click

We often get requests to enable right-click by default. This is another one that needs to be set in the user template for any new users and the existing home folders for any users that have already logged in:

To add the setting to the user template:

for USER_TEMPLATE in "/System/Library/User Template"/*
	do
	/usr/bin/defaults write 
"${USER_TEMPLATE}"/Library/Preferences/com.apple.driver.AppleHIDMouse Button2 -int 2
    /usr/bin/defaults write 
"${USER_TEMPLATE}"/Library/Preferences/com.apple.driver.AppleBluetoothMultitouch.mouse MouseButtonMode -string TwoButton
    /usr/bin/defaults write 
"${USER_TEMPLATE}"/Library/Preferences/com.apple.driver.AppleBluetoothMultitouch.trackpad TrackpadRightClick -int 1
done

To add it to existing user home folders:

for USER_HOME in /Users/*
	do
		USER_UID=`basename "${USER_HOME}"`
		if [ ! "${USER_UID}" = "Shared" ] 
		then 
			if [ ! -d "${USER_HOME}"/Library/Preferences ]
			then
			mkdir -p "${USER_HOME}"/Library/Preferences
			chown "${USER_UID}" "${USER_HOME}"/Library
			chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
			fi
			if [ -d "${USER_HOME}"/Library/Preferences ]
			then
				killall -u $USER_UID cfprefsd
				/usr/bin/defaults write 
"${USER_HOME}"/Library/Preferences/com.apple.driver.AppleHIDMouse Button2 -int 2
    			/usr/bin/defaults write 
"${USER_HOME}"/Library/Preferences/com.apple.driver.AppleBluetoothMultitouch.mouse 
MouseButtonMode -string TwoButton
    			/usr/bin/defaults write 
"${USER_HOME}"/Library/Preferences/com.apple.driver.AppleBluetoothMultitouch.trackpad 
TrackpadRightClick -int 1
			fi
		fi
done

Turn off restore windows

If you don’t want application windows to automatically re-open when apps are re-launched, you can use the following script:

for USER_TEMPLATE in "/System/Library/User Template"/*
	do
	/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/ 
.GlobalPreferences NSQuitAlwaysKeepsWindows -boolean FALSE
done

To add it to existing user home folders:

for USER_HOME in /Users/*
	do
		USER_UID=`basename "${USER_HOME}"`
		if [ ! "${USER_UID}" = "Shared" ] 
		then 
			if [ ! -d "${USER_HOME}"/Library/Preferences ]
			then
			mkdir -p "${USER_HOME}"/Library/Preferences
			chown "${USER_UID}" "${USER_HOME}"/Library
			chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
			fi
			if [ -d "${USER_HOME}"/Library/Preferences ]
			then
			killall -u $USER_UID cfprefsd
			/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/ 
.GlobalPreferences NSQuitAlwaysKeepsWindows -boolean FALSE
			fi
		fi
done

Stop writing .DS_Store files on the network

This is one for the Windows admins. To stop the Mac clients leaving a trail of .DS_Store files on network drives, use the following:

for USER_TEMPLATE in "/System/Library/User Template"/*
	do
	/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/.GlobalPreferences DSDontWriteNetworkStores -bool TRUE
done

To add it to existing user home folders:

for USER_HOME in /Users/*
	do
		USER_UID=`basename "${USER_HOME}"`
		if [ ! "${USER_UID}" = "Shared" ] 
		then 
			if [ ! -d "${USER_HOME}"/Library/Preferences ]
			then
			mkdir -p "${USER_HOME}"/Library/Preferences
			chown "${USER_UID}" "${USER_HOME}"/Library
			chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
			fi
			if [ -d "${USER_HOME}"/Library/Preferences ]
			then
			killall -u $USER_UID cfprefsd
			/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/.GlobalPreferences DSDontWriteNetworkStores -bool TRUE
			fi
		fi
done

Set the Users Homepage


Safari home pages can be set various different ways. I have often included this in first run scripts so I can be sure that new windows and tabs are behaving just as I need them:

HOMEPAGE="www.amsys.co.uk"
 
for USER_TEMPLATE in "/System/Library/User Template"/*
	do
	/usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.Safari.plist HomePage -string "$HOMEPAGE"
    /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.Safari.plist NewTabBehavior -integer 0
    /usr/bin/defaults write "${USER_TEMPLATE}"/Library/Preferences/com.apple.Safari.plist NewWindowBehavior -integer 0
done
 
# Existing users
killall cfprefsd
for USER_HOME in /Users/*
	do
		USER_UID=`basename "${USER_HOME}"`
		if [ ! "${USER_UID}" = "Shared" ] 
		then 
			if [ ! -d "${USER_HOME}"/Library/Preferences ]
			then
			mkdir -p "${USER_HOME}"/Library/Preferences
			chown "${USER_UID}" "${USER_HOME}"/Library
			chown "${USER_UID}" "${USER_HOME}"/Library/Preferences
			fi
			if [ -d "${USER_HOME}"/Library/Preferences ]
			then
				echo "Working on home folder preference file: ${USER_HOME}/Library/Preferences/com.apple.Safari.plist"
				mv "${USER_HOME}"/Library/Preferences/com.apple.Safari.plist "${USER_HOME}"/Library/Preferences/com.apple.Safari.plist_bak
				/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.Safari.plist HomePage -string "$HOMEPAGE"
    			/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.Safari.plist NewTabBehavior -integer 0
    			/usr/bin/defaults write "${USER_HOME}"/Library/Preferences/com.apple.Safari.plist NewWindowBehavior -integer 0
    			chown $USER_UID "${USER_HOME}"/Library/Preferences/com.apple.Safari.plist
			fi
		fi
done

The numbers after the -integer option refer to specific settings accepted by the Safari preference file:

0 – Homepage
1 – Empty Page
2 – Same Page
4 – Top Sites

Example Completed Script

If you would like to test out a completed version of this script you can find it on our Github page

Read “Creating Config Profiles instead of a First Boot Script” next

Getting the LDAP distinguished name for an AD user

Sometimes when I’m integrating Macs (and other systems) with Active Directory they ask for the full LDAP distinguished name of the user I’m using to authenticate. This is the user name in the traditional LDAP format:

cn=username,ou=something,DC=amsys,DC=com (for example).

In some cases, if it’s a fairly vanilla and small AD install you can take an educated guess from the domain name and the name of the user. In other cases, if the AD structure is quite complex you need to know exactly what it is. Here is my quick method for grabbing the information.

Using a Windows computer (doesn’t matter whether it is a server or a client), open the Computer Management Console by select Start > Run, typing computermgmt.msc and hitting return.

computer management console ad integration

Expand Users & Groups, select groups and open the properties screen for one of the groups.

In the Properties window, click Add.

expand users and groups

In the Select Users window, click Advanced.

In the Select Users window, search for the admin user name and select to show the X500 name in the attributes to display (which is the full distinguished name).

That’s it. The search will return the full distinguished name.

OS X Yosemite certified courses arrive at Amsys

os x yosemite logoHappy New Year! I hope that you had a wonderful break, are fully rested and ready to embrace what 2015 has to offer!

Just before Christmas, Mandy and I scheduled our very first set of 10.10 Apple Certified course dates, the first of which can be found below.

Call 0208 645 5806 or email training@amsys.co.uk for more information.

Look forward to seeing you on a course soon!


Amsys’ First OS X Yosemite Certified Course Dates 

 

OS X Support Essentials 10.10

os x yosemite support essential course datesLearn how to support and troubleshoot Mac devices running Apple’s latest OS X, Yosemite. This 3 day certified course will teach you the key skills needed to successfully troubleshoot 10.10 for your users.
Plus, take and pass the exam to receive your ACSP!

 

 

OS X Server Essentials 10.10

os x yosemite server essential course datesThis 3 day certified course will teach you how to integrate and administer OS X Yosemite server. Take this course to achieve 10.10 ACTC status. The highest certification that Apple awards!

 

 

Mac Integration Basics 10.10

os x yosemite mac integration course datesThis course has been created for techs who are responsible for introducing a Mac device(s) into a small business environment that’s predominantly Windows-based. The course to take to learn how to integrate Mac(s)!

 

 

Mac Management Basics 10.10

os x mac management 10.10 trainingDo you have a collection of Macs that need to be configured and managed, but don’t know where to start? Do you know what’s involved and how to ensure you can keep your Mac estate up to date?
If not, then attend the Mac Management Basics course.

 

 

Swift London – 1 Hr Beginner Workshop

swift london meetup

Founded on 5th of June 2014, the meet up group, Swift London has grown into a collaborative community of beginner and advanced developers, eager to learn more about the Swift programming language.

Over the last 6 months, the group has held a series of events, alternating between talks and hands-on sessions, culminating in their brilliant Christmas Party, whereby developers from across the UK showcased their experiences with Swift.

This month, we’re delighted to announce that Amsys will be co-hosting Swift London’s first Swift for Beginners workshop on the 19th of January.

When: 19th January 2015 (18:30 – 20:30)
Where: London

// Please register now if you want to attend as this event will be fully booked within the next 24 hours. //

Best Practices in 2015: Modular Deployment & Patch Management

Whether you have already deployed Macs in your organisation or you are trying to work out how to do it, one of our recommendations is to adopt a solid deployment and patch management approach from the start.

This topic breaks into a number of smaller methodologies described in one of our earlier blogs.

When you are starting to look at refining your deployment processes, there are a few things to take into account:

  • To get the Macs initially setup and useable you will need the ability to deploy your line of business apps
  • You will need to be able to patch this line of business apps and other parts of the system

It is worth pointing out that the time or money invested in improving these systems is often relative to the size of organization.  If you are a startup with 1 or 2 employees you probably aren’t going to rush into setting up a deployment system, but as your business grows, the time lost manually setting up machines and the risks associated with not patching them will grow.

Deploying line of business apps

The first recommendation is to set up a system that can deploy apps from a central point to each of your organisations Macs.  There are lots of different tools available and setting one up will mean you don’t have to touch each computer when you want to deploy new apps.

The key idea is to add the app installers to the deployment server and then “enroll” each computer so they can receive the packages.  You can then choose whether the deployment happens automatically or if they are presented to the user in a self service interface.

What tools can you use?munki guide

There are lots of options on the server side to accomplish this including Munki, Casper, Bushel, Absolute Manage & FileWave to name a few.  Our preference is either Munki or the Casper Suite.

The choice of one over the other will depend on budget, and the technical level of the operator (Casper has a slightly easier learning curve and being a commercial product, is backed by a thorough training programme).

For both of these tools and other programmes, the basic concept involves packaging each of your apps, adding them to the server and then configuring them to be deployed to the Macs.    The level of difficulty will really depend on the app you are packaging.

In some cases, if you don’t need any customisations made to the app, you can just drop in the installer straight from the vendor.  In other cases, strange licensing / activation processes, per user customisations and additional settings can make the packaging more complex.

volume purchase programmeA Note About The Mac App Store

Getting apps from the Mac App Store is a little different.  Many of you will have used the App Store to purchase individual apps and while you can still do that with your business computers, it can be more efficient to sign-up for a VPP account from Apple and use a deployment tool.

There are two methods we have been using recently to get the apps from the app store and onto the Macs.  The first is to re-package the app into an Apple installer file and distribute with a deployment server like Munki or Casper.

The main benefit is a zero-touch process for the end-users.  You can silently push the apps to the devices without user interaction, removing the need to manually configure each machine.  The downside is that updates for these apps are tied to the original Apple ID so you will need to look after the patching as well.jamf software

The second app store technique involves the Casper Suite from JAMF Software.  They have a neat feature that allows you to deploy Mac App Store apps in their self service portal.

The process is much easier than repackaging, although it does require a little more user interaction.  It has the added benefit of presenting all available apps (including non-app store apps) to the user in a single interface.

Patching and software updates

A lot of people consider the ongoing patch management of Mac OS X and the deployed apps even more important than the initial deployment.  The logic could be a little off as without the core business apps the Macs aren’t really much use, but I would agree that just focusing on getting the apps out without considering how you will keep things up to date is a bad idea.

If you ignore all updates, as well as being vulnerable to all sorts of attacks, you are putting off the inevitable.  The task of updating just keeps growing until it becomes a major project.

The tools and techniques used for patching Mac OS X, and your business apps go hand in hand with the initial deployment, with a few additions.  The goal is to be able to deploy updates to the base OS and third party apps with the minimum of fuss.

firefoxFor apps like Firefox, there is no delta installer, you will just be deploying the whole thing, in which case you would add it to your deployment server just as if you were deploying it for the first time (note: make sure you aren’t deleting user settings such as bookmarks in the process).

The same applies for lots of other delta updates like the Microsoft Office patches; the only difference is the requirement for the original program to be on the machine before the update is run.

For Apple updates, a traditional Software Update Server still works best.  You can set this up with a Mac running the server app, or if you are feeling more adventurous (or would rather run the service on non-apple hardware), you could use Reposado.

A Software Update Server lets you enable new updates to the base OS and Apple apps once you have tested them, avoiding deploying a potentially harmful update from disrupting the Macs.

The final option to streamline the patching process is to use AutoPKG.  This service lets you setup automatic workflows for a lot of your third party apps so the new versions can download and add themselves to your deployment system.  The project started out working with Munki but has been extended to also work with Casper (AutoPKGr).

It is important to note that if you set up this service to automatically download and deploy the updates, you are putting your trust in unknown parties.

We would recommend setting it up, so new updates go into a “quarantine” group and only deployed to test machines.  If you are more security conscious, or are bound by strict security compliance regulations AutoPKG may not be for you, in which case you would need to use a more manual process.

Read “Best Practices in 2015: Managing Settings in Mac OS X and iOS” next

If you are thinking about deploying a new fleet of Macs or iOS devices and require Apple consultancy or advice, please contact our expert team today. Call 0208 660 9999 or email support@amsys.co.uk.

Setting the Network Time Server from the Command Line

Hi All, here’s a short and sweet blog post to kick off the new year!

I often get asked about setting up NTP configurations on client devices in a better way than manually. You can do this from the command line simply enough:

NTPServer="time.euro.apple.com"
	/usr/sbin/systemsetup -setnetworktimeserver "$NTPServer"
	/usr/sbin/systemsetup -setusingnetworktime on

Swap the “time.euro.apple.com” with your desired NTP server and run the commands as root (using ‘sudo’ in front of them). The first command sets the NTP server address (viewable in the GUI in ‘System Preferences’ under ‘Date & Time’). The second command enables the use of the NTP.

Trick 1: Scripting

As this is a bash command, you can chuck it into a Bash / Shell script. Typically I will put this into a ‘first boot’ script to configure a device during imaging.

Trick 2: AD Domain

Another cool trick is if you’re in an AD domain scenario, you can usually set the domain as the NTP rather than a specific NTP and the client/s will use AD / DNS to find a specific NTP!

E.g. if your NTP servers are ‘time1.example.com’ and ‘time2.example.com’, and your domain is ‘example.com’, set the NTP to the ‘example.com’ address and it should find the NTPs automatically.

Summary

There you go, short and sweet.

As always, if you have any questions, queries or comments, let us know below and I’ll try to respond to and delve into as many as I can.

OS X Yosemite hidden feature series – Part 1

os x yosemite hidden features

Since OS X Yosemite was released in October, I’ve been hunting around for those cheeky little Easter eggs that Apple like to sneak in. In this new series, I will be blogging about some of my favourites.

I was going to start this blog series in the new year, but then I decided it might be nice to release the first part as a Christmas treat!

So, to kick us off in Part 1, I thought I’d start with a couple of new features in the Finder and Dock, therefore the user interface in OS X Yosemite.

New Feature 1: Finder Dark mode

Yosemite has a new look, and it’s brighter and crisper than ever. For some people though, this may be too bright and crisp! So, Apple provided a ‘Dark Mode’.

Simply navigate to the General pane of System Preferences and tick the box next to ‘Use dark menu bar and Dock’:

os x yosemite dark mode

Here is a ‘before’ snapshot showing the default menu bar and dock, notice how bright and white the menu bar and Dock are:

before dark mode yosemite

And now below is an ‘after’ snapshot showing the Dark Mode menu bar and Dock, notice the menu bar and Dock are now darker (black):

in dark mode yosemite

This ‘Dark Mode’ is ideal for anyone working in perhaps a professional photo or video environment.

New Feature 2: Batch rename files or folders in Finder


Have you ever had a bunch of files or folders and needed to rename them quickly and all in sequence? Yosemite makes this a breeze.

All you need to do is highlight all your files/folders, then control-click/right-click them and select ‘Rename items’ from the contextual menu that appears. Then just choose your choice from the drop down menu, select your criteria, click Rename and you’re all done!

Below is an example where I wish to rename 4 files in sequence:

Step 1: Select all the files in the Finder:

batch rename files in yosemite

Step 2: Control-click/right-click the items and select ‘Rename items’ from the contextual menu that appears:

batch rename four files in yosemite

There is now a choice of 3 renaming options:

batch rename replace text yosemite

You can simply Replace Text in all items:

replace text in all file names yosemite

Add Text in all items:

add text all files yosemite

Or use Format to reformat Text in all items:

use format to reformat text yosemite

Step 3: I have chosen to Format the text as follows:

reformat text in yosemite

This will rename each file in turn as ‘RussDoc’ and then add a sequential number starting from ’1′.

Below is the result:

batch reformat result yosemit3e

New Feature 3: Handoff

If you own more than one Mac device, let’s say an iPhone and an iMac, Yosemite and iOS 8 combined have a really nifty feature known as Handoff. It is technically 1 part of a feature known as Continuity.

So what is ‘Handoff’?

To quote Apple’s website:

“Say you start writing a report on your iMac, but you want to continue on your iPad as you head to your meeting. Or maybe you start writing an email on your iPhone, but you want to finish it on your Mac. Handoff makes it possible. When your Mac and iOS devices are near each other, they can automatically pass what you’re doing from one device to another.

An icon representing the last app you were using will appear on your second device — in the Dock on your Mac or on the Lock screen on your iOS device. Just click or swipe to pick up exactly where you left off without having to search for the file. Handoff works with Mail, Safari, Pages, Numbers, Keynote, Maps, Messages, Reminders, Calendar and Contacts. And app developers can easily build Handoff into their apps.”

Make sense?

So, let’s see it in action. I’ll be using an iPhone 5 running iOS 8.1.2 and an iMac running OS X Yosemite 10.10.1.

First of all, the requirements to use Handoff:

  • Sign into the same iCloud account on all your devices.
  • Turn on Bluetooth on all the devices you want to use. Make sure your devices are near each other.
  • Connect all your devices to the same Wi-Fi network.

Step 1: Go to the Settings App in iOS 8, choose ‘General’ and then ‘Handoff & Suggested Apps’ and ensure that ‘Handoff’ is enabled:

setting up handoff

Step 2: On your Yosemite Mac, ensure that Handoff is enabled in General Preferences:

enable handoff in general preferences

Step 3: Ensure both devices are logged into the same iCloud account, (iOS 8 = Settings App>iCloud, OS X Yosemite = System Preferences>iCloud), the same Wi-Fi network and have Bluetooth enabled.

Step 4: Start to compose a new email using the Mail app on your iPhone:

create and send an email using handoff

Step 5: Your phone should ‘notify’ your Mac in the far left of the Dock that there is an email that you can continue from your iPhone:

mail from iphone handoff

(You could also use OS X’s App switcher by using the Command-Tab keys to switch to an app with a Handoff icon).

Step 6: Select the Email icon at the far left of the Dock to open the email and continue:

reply to email handoff

Nice!

Let’s look at it the other way round, ‘Handing off’ from OS X to iOS.

Step 1: Using the rules from above, but this time start the email on your Mac, then the Lock screen of your iOS device will show the icon of the Handoff supported app in the lower left hand corner, (and yes, that is me in the racecar!):

handing off from os x to ios

Step 2: Swipe the Handoff app icon ‘UP’, (in this case the Mail icon), and unlock the device if it has a passcode. The email or whatever Handoff content there is, will load on the screen.

You can also go to the multitasking display in iOS, (double-clicking the Home button on your your iPhone, iPad, or iPod touch,) swipe all the way from left to right to see that the Handoff app is the first icon in this list before the homescreen, then tap the app:

mulit tasking display handoff

New Feature 4: Quickly disconnect from a Wi-Fi network

I have often wanted to disconnect from a Wi-Fi network without having to turn Wi-Fi completely off. Before Yosemite, this couldn’t easily be done. Well, now you can!

In OS X Yosemite, once connected to a Wi-Fi network, simply option/alt click the Wi-Fi icon in the top right menu bar. You will now have an option to disconnect from the network listed underneath the name of the currently in-use Wi-Fi:

quickly disconnect from a wifi network

(If you are connecting to an iPhone/iPad using the Personal Hotspot feature of iOS, this feature is immediately available from the Wi-Fi menu without having to option/alt click).

I hope you have found this blog useful, there are many more features than I haven’t listed here, but these are 4 features that I have found people have not been aware of, or have not been able to use correctly so I thought they would be good to blog.

Read part 2 here, which covers all the new and hidden features in Safari!

Apple has a good overview of the main new features of OS X Yosemite on their website should you wish to see what else is out there.

Also, if you would like to learn more about OS X Yosemite and iOS 8 we teach a large collection of OS X Mac and iOS support courses, which you may find useful.

Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Calling all iOS Developers!

We are on the hunt for 2 experienced and enthusiastic iOS developers, 1 senior iOS developer and 1 web/database developer who are based in or are willing to relocate to Glasgow!

Who will you be working for?

You will be working for one of the leading facilities management companies in the UK; who are looking to expand their in-house iPad app development team to develop innovative apps for their large network of retail clients.

Who do you need to be to apply?

An experienced iOS app developer or web developer! We have 3 roles that we have been tasked with to recruit for, all of which are offering a substantial pay packet and benefits package:

iOS Developer

  • Minimum 5 years overall development experience including 2+ years coding for iOS devices in Objective-C/Cocoa/Xcode
  • A link to a working iOS application that you have created or worked on.
  • Commercial software product development experience -  not just internal or personal software apps.

Read full job description here

 

Senior iOS Developer

  • You must have previous management experience
  • 6 years + overall development experience
  • Strong analytical and problem solving skills.

Read full job description here

 

Web/Database Developer

  • Minimum 4 years Web Development/JSON Web service experience
  • Minimum 2 years commercial experience in ASP.NET MVC
  • Strong C# and SQL Skills

Read full job description here

Amsys Advent Calendar Christmas Countdown

Kick off the festive season in style, and countdown the 12 days to Christmas with Amsys.

From tomorrow (12th December) we will be giving away an Apple themed gift or Amsys treat with every course that’s booked!

Your gift or treat can be redeemed by quoting the offer code that will be revealed each day by email. To join in with the festivities and to receive your 12 days of Christmas email – please add your email address to the field below.

Munki 2: Introduction

Hi all. I’ve been meaning to do this for the last few months. On 23rd September 2014, Greg Neagle released the official version 2.0 of the Munki solution.

Version 2 has brought a number of (good) changes and additional features to make the whole solution much prettier to the end user.

Firstly, the new requirements

New version means new requirements:

  • Munki 2 no longer supports Leopard (unlike Munki 1). This puts the client OS’ supported by Munki 2 at 10.6.x to 10.10.x
  • Munki 1 does not officially support Yosemite. This puts the client OS’ supported by Munki 1 at 10.5.x to 10.9.x.

New features

The biggest change for Munki 2 has been the GUI application on the client devices.

Munki 1 made use of a locally installed client application called “Managed Software Update” and this was modeled on the current built-in Apple Software Update tool of the time.

munki 2 managed software updates

However, Munki 2′s client application has been redesigned to have a similar look and feel as the modern day software update system, the Mac App Store. With this new look, is a new name, ‘Managed Software Centre’ and a new location in the main Applications folder.

munki 2 managed software centre

This new look and feel will show the most benefit to the optional applications you may offer through your Munki solution, specifically, the ability to group applications by category and to provide more detailed information regarding each installation along with screenshots and icons!

munki wiki

munki firefox wiki

This new solution also allows the customisation of the application (‘re-skinning’) to allow a number of branding options for your organisation.

Compatibility

The important question, what versions of Munki client and server work together? The answer (ignoring Mac OS X versions) is all!

The changes to the Munki server are purely some additionally directories in the Munki Repo, and some additional keys in the ‘pkgsinfo’ files. The interactions are as follows:

Munki 1 Server, Munki 1 Client

No change in behaviour.

Munki 2 Server, Munki 1 Client

Client will still use the older Managed Software Update tool. Any new items (keys) in the pkgsinfo files (such as path to icon, Categories, or Developer) will simply be ignored and the solution will function as before.

Munki 1 Server, Munki 2 Client

The Client will use the new App Store style application and will see any pkgsinfo files that are missing the keys as a blank value and use the default icons and settings (e.g. standard Apple installer icon and blank values for the others).

Munki 2 Server, Munki 2 Client

The Client will use the new App and the new features from the updated server.

Please Note: There will be no further releases for the Munki 1 tools and so any bugs that are found will not be fixed.

Looking ahead

As with the original Munki series, I’ve got a few blogs planned (time permitting!) At the risk of promising too much, I hope to cover:

  • Munki 2 Server setup / Munki 1 to Munki 2 Server upgrade
  • Munki 2 Client setup / Munki 1 to Munki 2 Client upgrade
  • Using Munki Admin with Munki 2
  • Updating your existing Munki Repo content for Munki 2

Ideally, these will be in my same ‘I assume you haven’t used Munki before and want an easy to follow, basic setup to build off’ style, please let me know if I go too much one way or another.

One more thing…

Around the same time, Greg moved the main storage of the Munki tools and wiki from Google Code to GitHub. New address is https://github.com/munki/munki

Summary

There you go again, a small introduction into Munki 2 and what has changed over Munki 1.

Any hints, tips or opinions? Let us know in the comments below and I’ll try to respond to as many as I can.

Read Part 2: Upgrading your Munki Repo & Administration Mac here.

 
Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

 

Setup Facebook Messages With Apple Messages App

Facebook is one of the biggest and most popular social media networks in existence. Thousands of messages are sent via it on a daily basis. A Mac user can setup their messages app so that it displays messages sent to them and allows them to reply without having a Facebook window open.

So, how do I setup Messages to work with Facebook?

setup Messages to work with Facebook

With the ‘Messages’ app open select ‘Preferences’ from the ‘Messages’ menu

open preferences in apple messages

When the ‘Preferences’ windows loads select the ‘Accounts’ tab

mail accounts general pane

This will list all the accounts that are used by messages e.g. iCloud account that is linked with an iPhone.

Click the ‘+’ button in the bottom left corner.

setup bonjour on facebook

This will open the add account screen, select the option to use a different account type.

add new email account facebook messenger

From the drop down menu select the Jabber message protocol for the ‘Account Type’.

add jabber facebook messenger apple

add a messages account jabber apple

You need to use your Facebook user name with @chat.facebook.com for the account name.

To find out you Facebook username you need to go to facebook.com/username

Here is the full support article for finding/changing you Facebook username.

Once you have added the details for the account click the ‘Next’ button.

Once the account has been created you will be put back on the main screen of the messages app. From here, click the button to start a new conversation.

create a new conversation facebook messenger apple

This will open the list of your friends allowing you to select whom ever you wish to message.

send a facebook message to a contact apple

Once you have selected a friend click in the message bar at the bottom of the window. Type your message and press the ‘return’ key to send the message.

send facebook message via os x

A green message bubble shows that the message has sent to the user. As long as the message app is running in the background when a message is sent to you it will show a badge icon over the messages app icon to indicate a new message.

4 “Mac in the enterprise” deployment techniques

mac deployment techniquesThere are a number of ways you can deploy Mac OS X.  The tools and techniques used have evolved rapidly over the past few years.  In this blog post I will summarize each deployment technique, explain our view on scenarios where you would use one over another and how new options such as DEP have moved things along.

The main methods we will discuss are:

  • Monolithic (traditional) imaging
  • Modular imaging (base OS image + packages and settings)
  • Thin imaging (just packages and settings)
  • User self-service

1. Monolithic (traditional) Imaging

This method has been around for some time.  Back in the heyday of NetRestore, this was the cool new way to deploy Macs (iOS didn’t exist!).  You would get your hands on a model Mac, typically the highest spec that had the most hardware features, install all of the software packages you needed and configure machine level settings, such as the Login Window layout and sharing preferences.

Once you were happy with the setup, you would create a disk image of the hard drive using hdiutil, disk utility or another tool, scan the image for block restoration and then deploy it to the rest of the Macs that you needed to set up.  The end result was a set of identically configured Macs so from that perspective it was a working process.

The downside, however, is when you either spot a problem with the configuration or an update is released just as you finish.  I had lots of situations where I would spot a minor imperfection in the image, meaning hours of work to deploy the image to the model Mac, correct the flaw, and then create a new image.

Each time I did this, the chance of unwittingly introducing a new flaw was high.  Updates being released just as you finished rolling out the image happened a lot as well.  There was nothing worse than creating your great new 10.2.3 OS X image with everything just as you need it, only for Apple to release the 10.2.4 update the next day.

This obviously brings up a flaw with the patch management processes, which were often non-existent.

We could, of course, add in a software update server to handle the Apple updates but what about Office, database apps, Silverlight, Flash, etc.?

In many cases, organisations just froze in time. They deployed their image, and that was it until the hardware was due to be refreshed.  Good from a change management point of view, not good from a functionality or security standpoint.

2. Modular Imaging (base OS image + packages and settings)

Modular imaging has also been around for a while, although adoption has been slower.  The basic idea is to separate out each part of your intended build into a base OS (with any necessary updates), the applications the users need, and finally any settings you would like to be configured from the start.  Each aspect of the final build is stored as either a package installer or a script that would run when the target Mac first boots.

There are three key benefits to this approach:

  • It’s easier to update or fix one part of a build than recreate the whole thing
  • It’s easier to update part of the build if a patch for a particular bit of software is released
  • You can create multiple “workflows” without having to store multiple monolithic images

For these reasons, you would assume this would always be the preferred method over monolithic imaging.  So why has adoption been slow?

The first (and probably the main) reason is an increase in technical difficulty.  When you’re creating a monolithic image you can ‘see’ what you are doing, it’s just like setting up a normal Mac and then taking a snapshot of its state.  With modular imaging, you have to learn a few new skills including scripting and software packaging.

The second reason is that it’s newer.  There are some techs out there that know how to create a monolithic image and are happy with the results. And, from a time investment perspective, they don’t want to spend time learning a new way to achieve the same goal.

At Amsys, we switched to modular imaging a few years ago and saw the benefits almost immediately. Once we had worked out how to package some of the trickier apps and some of the scripts that were needed we could create customised builds for our clients in much less time.

3. Thin Imaging (just packages and settings)

Thin imaging is one of the newest techniques.  It is quite similar to modular imaging, just without an OS.  The assumption here is that Macs from Apple come with a perfectly good, pre-installed OS, so why spend time wiping it, only to put the same thing back on the machine before adding the apps and settings.

With thin imaging, you take a Mac out of the box and run a workflow that installs the apps you have packaged and adds any settings that you need.

Some of the benefits for thin imaging are:

  • Time saved as you aren’t capturing / packaging a base OS
  • Time saved as you aren’t deploying an entire OS
  • You are less likely to introduce issues by replacing the OS (incorrect hardware extensions, etc.)

With this style of imaging, there are some other added benefits.  For example, you can take a machine that has already been set up by the user and deploy your company apps and configuration to it.  As you’re not wiping the drive there isn’t a risk of upsetting the user by deleting all of their data!

A potential negative, however, is the lack of a proper “imaging” option.  “Re-imaging” has long been seen as a way to eradicate problems from machines as it can return them to a known working state.  As thin imaging only adds to the target machine, it wouldn’t be a suitable option for removing a pre-existing problem.

This being said; thin imaging and modular imaging can co-exist together.  At Amsys, we quite often setup both options.  Once we have created a modular imaging workflow that can lay down an OS, it is only a few minutes work to create a separate workflow that performs all the same actions, just without a base operating system.

If the option of erasing the machines is a requirement, but you’d rather not “re-image” in the traditional sense, you can create an OS X installation package using a tool like createOSXinstallPkg.  This script generates a package that can be installed as part of your thin imaging workflow, but performs a standard OS X installation.  If you include a step to erase the target drive before installing, the result will be very similar to a modular build.apple device enrolment program

4. User self-service

The final deployment method I would like to talk about is user self-service.  The first three methods I have described are quite similar.  Some of the tools and techniques are different, but the underlying processes are the same, as are the results.

User self-service takes a different approach entirely and simply provides a mechanism for the user to install the apps and settings they need.  Some organisations I have worked with that have very large numbers of Macs (usually over 1,000 devices) are using this method.  It could be that it took that quantity of machines to force them to think of more efficient ways to get the machines out to the users.

One of the major benefits is the lack of IT involvement.  The IT team need to ensure that the catalog of packages and settings are tested and functional, and that there is a simple way to present these to the users (such as JAMF Software’s Self Service), but once this is done, the user only needs to enrol their device, launch the app and choose what they need.

This can be extremely handy if a user is in a remote location.  If they have a major hardware breakdown, they can go to their nearest Apple Store, buy a new Mac, enrol with the management system and open up Self Service to get going.  No IT involvement needed.

With Apple’s DEP (Device Enrollment Program) now, the users don’t even need to enrol.  They unbox their new Mac, complete the setup assistant and they are ready to go.

Conclusion

There are some projects we have been working on recently that I simply couldn’t imagine finishing without some of the newer deployment methods.  Tools like Casper and Munki have created some new and interesting workflows that are really helping to reduce the manual effort needed to deploy large numbers of machines consistently.

While monolithic imaging is rarely used, I couldn’t really say that any one of the other techniques described are the best, it really just depends on the scale of the deployment project, the location of the devices and users and what you want from the final setup.

If you are thinking about deploying a new fleet of Macs or iOS devices and require Apple consultancy or advice, please contact our expert team today. Call 0208 660 9999 or email support@amsys.co.uk.

Get SendEmail working with Yosemite and Mavericks

A while back, we found a nice little command line tool to send emails with authentication settings, custom subjects, etc., without using any of the built in email sending tools. This was handy for situations where a client might have various restrictions in place such as a relay server that requires authentication and / or a specific sender address to allow the emails to pass through.

The tool is called “SendEmail” and is available from the Caspian webpage for free! We commonly used this with a number of custom client-side notification systems.

Sounds handy, what changed?

Mavericks:

Well, the solution is a script written in Perl, making use of the default Perl language installing and modules. With Mavericks, Apple added a newer default version of Perl, with which the script could not use the SSL Module for SSL communications

The main issue is that the developer is no longer actively developing this tool and so there is no full patch for the issue. After a short while, one of the commenters on the page posted a simple fix that involves editing the SendEmail tool to use the older, yet still included version of Perl, 5.12.

This is to open the script in a text editor (avoid TextEdit and use the free TextWrangler if possible), and modify the first line from:

#!/usr/bin/perl –w

To:

#!/usr/bin/perl5.12 –w

And save the new script. This should now work fine in Mavericks.

Yosemite:

With Yosemite, Apple removed the older Perl version meaning that the above fix no longer works. We have to make some more tweaks to the script and grab the single required module from the Perl 5.12 modules.

1. Find the Perl 5.12 Extras directory on a copy of Mac OS X Mavericks or Mountain Lion. This is located at “/System/Library/Perl/Extras/5.12″.

2. Grab the specific SSL.pm Perl Module from “/System/Library/Perl/Extras/5.12/IO/Socket/SSL.pm” and copy this to a location of your choosing. We typically use a /Library folder for our installations. E.g. “/Library/Amsys/Perl5.12/”. I would suggest you do the same and DO NOT modify your own “/System/Library” folder contents (this is because this area is Apple’s domain so any updates and definitely any upgrades will replace this folder).

3. Reopen the SendEmail script in a text editor of your choice.

4. If you made the above changes for Mavericks, we need to reverse these to use the default Perl language version. Modify the first line from:

#!/usr/bin/perl5.12 –w

Back to:

#!/usr/bin/perl –w

5. Now we need to tell the SendEmail script to use the extra SSL Module we have grabbed. Around lines 128 to 133 you’ll see this:

## Load IO::Socket::SSL if it's available
eval { require IO::Socket::SSL; };
if ($@) { $conf{'tls_client'} = 0; }
else { $conf{'tls_client'} = 1; }

Change this to:

## Load IO::Socket::SSL if it's available
use lib '/Library/Amsys/Perl5.12';
use SSL;
#eval { require IO::Socket::SSL; };
if ($@) { $conf{'tls_client'} = 0; }
else { $conf{'tls_client'} = 1; }

And change the highlighted section to the path where you have put your Perl v5.12 SSL.pm module file.

6. Run some tests and checks and this should all work. If you’re having issues, check that the Library folder/s and the SSL.pm file are owned by Root with 755 as the permissions (or however you specific implementation requires them).

Looking Forward

OK, I confess, this is a large bit of gaffer tape stuck over cracks in the script, but it’ll get most people who may use it out of a hole with the least amount of faff.

In the future, I’ll need to tear the script apart and find out what specifically it doesn’t like with the SSL module in the newer versions of Perl and correct this. As with most IT guys, it’s on a ‘To Do’ list, just not very high up it!

Summary

I hope this help anyone else who uses SendEmail to continue use a nice little tool for command line email sending!

As always, if you have any questions, queries or comments, let us know below and I’ll try to respond to and delve into as many as I can.

Amsys’ Yosemite Advanced Deployment course is here!

Over the last few years, my fellow trainers and I have been teaching our advanced Apple IT courses to a wide range of IT professionals who need to extend their OS X knowledge beyond Apple’s ACTC certification.

Last week, I delivered our very first OS X Yosemite training course, an updated beta version of our Advanced Deployment course

advanced deployment yosemite course

Over the last couple of months, I’ve been thinking about how I can make this course bigger and better (and more enjoyable)!

Now that Yosemite has arrived, I’ve managed to pack in more features and tools for administrators to play with. The Advanced Deployment course for 10.10 is all about hands-on labs, with plenty of time to get your hands dirty by trying out different deployment scenarios and solutions.

I’ve added lots of third party tools into the mix as either demos, discussion points and exercises. These sessions will provide valuable real-world context, as these tools complement OS X’s built-in installation and deployment software and have become an essential tool to many Mac Admins.

This 3 day intensive course is ideal for IT professionals who require an in-depth knowledge on deploying OS X systems and its software.

Students on the first course really enjoyed our hands on approach to training, with one commenting:

“The course will be very useful to me as it has expanded my knowledge on deployment. I handle all the deployments at my work, and I am also considering incorporating an MDM, this course has really opened my eyes to the options available in leveraging a combined deployment and MDM solution.

Being on the first beta of this course meant I was able to ask the questions I needed to ask without disturbing the progress of the course. Having the ability to test out Yosemite so close to its release date was fantastic. Russell also encouraged and assisted me in testing out my own theories and scenarios instead of performing the documented course exercises.”

What the Advanced Deployment course will teach you:

  • How to plan and develop a comprehensive, stable Mac Deployment strategy – including customizing deployed systems and implementation of all methods of deployment, from deploying single files to multiple OS X Systems.
  • Create a comprehensive Deployment planning checklist and Service-Level Agreement (SLA).
  • How to create, deploy and enforce Usage Policies on Apple devices.
  • Understand how the OS X Yosemite file system functions and how it handles file, folder and package installation.
  • Understand OS X installer Packages. Creating, customising, securing and deploying installer packages.
  • How the Mac App Store works. Ownership of Apps, downloading Apps, Volume License Agreement (VLA) and Volume Purchase Program (VPP).
  • Understand the built-in security features of OS X (such as GateKeeper and FileVault 2) and how to work with these during Deployment.
  • Third Party imaging and deployment tools including, Iceberg, Packages, AutoPkg, Munki and Casper.

Plus much more! Read the Yosemite Advanced Deployment course in full here.

If you want to learn how to deploy a fleet of Macs then come along to one of our Advanced Deployment courses in Central London, South London or Manchester. In the meantime,  keep an eye out for new announcements as we release updated and new courses on OS X Yosemite and iOS 8!

Yosemite: JavaScript for Automation

The Open Scripting Architecture for OS X has been around for a long time and has provided a standard and extensible mechanism for scripting applications and services on OS X.

AppleScript has been the staple OSA language for years but with Yosemite, Apple have added JavaScript.

JavaScript can be used in the Script Editor; there is a Run JavaScript automator action and you can also access it via the Terminal

Apple has got some great documentation, which is available here.

So, for example, take this simple piece of AppleScript that composes a new email along with a subject and message:

tell application "Mail"
set myMessage to make new outgoing message with properties 
{visible:true, subject:"My Test Email", content:"Hello World"}
end tell


The javascript equivalent would be:

Mail = Application('Mail');
content = "Hello World";
msg = Mail.OutgoingMessage({
subject: "My Test Email",
content: content,
visible: true
});
 
Mail.outgoingMessages.push(msg);
Mail.activate();

So, if you have JavaScript skills, you can start using them to automate the Mac.

If you are not sure what properties are available for an app, its dictionary through script editor now lists the properties by AppleScript or JavaScript.

javascript-script-editor

Apple has even added an Objective-C bridge, allowing JavaScript to access Objective-C frameworks.

This really opens up a new chapter in OS X Automation.

 

Enjoy

Yosemite upgrade and network locations

Day to day I’m often at various sites most of which have some form of proxy configuration. To save myself having to change and remember the specific details for each site / customer, I normally create a new location for each site and switch using the Apple menu (there’s your pro tip for this post!)

When I upgraded to Yosemite (10.10.0) from Mavericks (10.9.5), I found that I had lost all but my default network settings. No Network Locations and no VPN configurations.

That sucks, what did you do?

As always, I took a full disk image of my Hard Drive prior to the upgrade, ‘just in case’ and this was one of the rare times when I had to use it.

I mounted my previous system and grabbed my network locations preference file from its backup location, restored it into the same place on my upgraded OS and restarted my laptop. Once complete, all my locations and VPN settings were restored and operational.

Say that again but slower!

Fair enough.

  1. I mounted the disk image of my OS from before the upgrade.
  2. On this mounted disk image, I found the network preference file located at “/Volumes/[name of my backup image]/Library/Preferences/SystemConfiguration/preferences.plist”
  3. I manually dragged a copy of this file from the above location to the same location on my booted YoYo system (“/Library/Preferences/SystemConfiguration/”) and replaced the file that was already present.
  4. I entered my administration username and password and rebooted the Mac.

That’s it!

Summary

Hopefully, if anyone else hits the same issue, this will help. AND ALWAYS TAKE A BACKUP BEFORE AN UPGRADE!

As always, if you have any questions, queries or comments, let us know below, and I’ll try to respond to and delve into as many as I can.

New “Reachability” feature in OS X YoYo server

Being the type of guy I am and in the role I am, I updated my home server to OS X Yosemite (10.10) over the first weekend of release. After fighting some I/O errors on the boot drive (another story for another time), I eventually got it running.

As usual I had a poke around the Server app and found a cool new feature, “Reachability”.

What’s that then?

This is a new service that can use Apple’s Servers to test your server for open ports and connections to services from the Internet. In combination with the new “Access” tab, you can limit both users and network IP addresses to your services.

Pictures!

So on the main landing page for server App, you’ll have a new “Details…” Box near the new “Internet” section. Click it.

os x yosemite server app

A new screen will appear. Once the server has had a chance to check with Apple, it will display all services that can be reached from the outside world.

os x yosemite reachability

Click the little refresh symbol to have it re-check the forwarded ports and services.

yosemite recheck reachability

At this point, I found out that when I previously had enabled SSH without locking down access to the LAN and forgot to disable it after testing (naughty me). To limit access to certain users and / or networks, use the new “Access” tab and double click the service in question.

yosemite lan

Add in your specific users and / or networks as required and hit “OK”. Problem solved!

This new page seems to combine the SACL list from 10.6.x Server and the firewall configuration.

Summary

There you go. I hope it helps someone out! So far I’m enjoying the new-look Yosemite even if I’m finding little stability issues!

As always, if you have any questions, queries or comments, let us know below, and I’ll try to respond to and delve into as many as I can.

10 OS X Finder tips that still work with Yosemite

Greetings again Mac enthusiasts!

With the recent release of OS X Yosemite, I thought I would keep the excitement going with some useful tips that have been around on the Mac for a while and still work with Yosemite!

Over the last couple of months, I have noticed that whilst delivering a collection of Amsys OS X training courses, there are a number of navigational shortcuts and hidden tricks that many Mac users are unaware of.

Although there are way too many for me to document them all here, in celebration of the recent 10th update to OS X, I have picked out the 8 most common ones that I find myself showing Mac users – new and old.

I also find that the main questions I hear from Windows to Mac switchers are, “In Windows, I do this…” or “How can I do xyz like I do on my PC?”.

So, these are often my answers to those questions too!

Please Note: Even though these are documented for Yosemite (OS X v10.10), most of these have been available for some time on the Mac platform and, therefore, function in earlier versions of OS X.

1) Keyboard Shortcuts

In general, OS X keyboard shortcuts are displayed in all apps including the Finder itself, just to the right-hand side of all of the pull-down menus at the top of the screen:

keyboard shortcuts osx yosemite

All of these keyboard shortcuts rely on what we call ‘modifier keys’. A modifier key changes the way keystrokes or mouse/trackpad clicks are interpreted by OS X.

The main modifier keys in OS X are:

  • cmd/Command
  • Shift
  • Option/alt
  • ctrl’/Control
  • Caps Lock
  • fn/Function

These keys are often represented by special symbols on the keyboard and also in menus and other parts of OS X as follows:

= Caps Lock
= Shift Key
fn = Function Key
= Control/ctrl key
= Option/alt key
= Command key

To use a keyboard shortcut, simply press the modifier key specified at the same time as the character key.

For example, pressing the Command key and then the “c” key copies your currently selected data to the Clipboard.

For you Windows users out there, you will find that for most shortcut keys, which on a PC you would use the ‘ctrl/Control’ key and a character key, you would simply substitute the ‘ctrl/Control’ key for the ‘cmd/Control’ key. (‘ctrl’ + ‘c’ becomes ‘cmd’ + ‘c’, etc).

There is a comprehensive list of OS X keyboard shortcuts on our blog and on Apple’s support site, which is well worth referring to or even keeping a copy:

2) File system and hard drive storage location shortcuts.

The Finder in OS X is designed to give the user only the information required to do a specific job. Most users have no need to rummage around the file system. All you should need is access to your Apps and documents. Thus, the Finder gives you quick access to these and not much else.

The default way to use a Mac is, therefore, to use the Dock to access the default Apps and storage locations and to use Launchpad to view all installed Apps. Then within the Apps themselves, they will offer you access to your documents and data relating to that App.

All Apps will give you a limited view of the file system to save new documents to, predominantly offering you locations such as your Documents folder, Downloads folder, Desktop folder, etc.

One of the quickest ways to access all the data stored on your hard disks is to use the Finder’s ‘Go’ menu:

file system and hard drive storage location shortcuts

From here, you can quickly select to ‘Go to your Computer’. Selecting ‘Computer’ is effectively like ‘My Computer’ in Windows. It will give you a list of all the connected drives on your Mac. Both internally and externally connected drives as well as Network drives.

There is also quick access to your entire Home folder, Documents, Desktop and Downloads as well as the Applications and Utilities folders. Not only can you quickly access your Desktop by using the Finder’s ‘Go’ menu, you can also very quickly clear your screen of Apps and Documents and access your Desktop by using the ‘fn’ + ‘F11′ keys on your keyboard. (On some Macs, you may not even need to use the ‘fn’ key and can simply just use the ‘F11′ key).

The Finder’s ‘Go’ menu also has the very useful ‘Go to Folder…’ option. This allows you to enter the file system path to any folder and quickly switch the Finder to that location.

You will often find blogs and documentation online that describes the location of software on a Mac by using file system paths, such as: /Users/russ/Desktop, which will specify my Desktop folder as the location to go to, as my user account is named ‘russ’ and is located in the startup disc’s Users folder:

go to folder os x

Each ‘/’ denotes a double click of a folder with the initial ‘/’ being a double click on your startup disk, which is, by default titled ‘Macintosh HD’ on a Mac.

Here’s the result of the above entered ‘/Users/russ/Desktop’ request:

os x desktop tips

3) Where am I?

So, you’re now starting to get used to using a Mac but now and then you get confused about WHERE in the file system the document you are working on is stored. Or, you just need to go back quickly to the folder in which the open document is located to open a related document that is stored in the same folder.

For me, this is one of the most useful hidden shortcuts on a Mac, and it’s so simple, once you know about it!

Simply ‘cmd/command’ click the folder’s name at the top of the folder window and you will see a full file system representation of where that folder is located.

For example, if I now ‘cmd/command’ click on the word ‘Desktop’ at the top of the Desktop window I am viewing, I will see the following:

where am i os x

Here I can see that the Desktop folder I am viewing is located inside my Home folder, (named russ), which is located inside the Users folder of a hard drive titled ‘RussMBPro’. This hard drive is connected to a computer that is named ‘RussPresentationMac’.

I can not only use this to discover WHERE I am in the file system, but to also use this to traverse back through this file system path.

For example, if I need to go back to my home folder, once I have ‘cmd/command’ clicked on the word ‘Desktop’, I can then select the word ‘russ’ and the Finder window I am viewing will switch to my home folder:

home folder yosemite

What I love about this feature, is that it not only works with folders within the Finder, but also works within documents in OS X Apps!
Again, just ‘cmd/command’ click on the name of the document at the top of the App’s document window to view the document location and to traverse through that file system path:

osx file system path

So, I can easily now see where this ‘RussImportantStuff document is stored, and also quickly switch to the folder it’s located in to access other related files. Genius!

4) App switcher.

I often see Mac users fighting to switch from one App to another by dragging document windows out of the way, hiding windows or clicking the Dock icon to switch in-between open Apps.

There is a much easier way!

To cycle through all of the Apps open on your Mac, hold down the ‘cmd/command’ key and then tap the ‘Tab’ key to access the ‘App Switcher’:

os x app switcher

Make sure you keep the ‘cmd/command’ key held down at all times, then for each tap of the Tab key you will see the ‘App Switcher’ switch one at a time through the open Apps.

In the example image above the currently highlighted App is TextEdit and therefore if I let go of both the ‘cmd/command’ and ‘Tab’ keys, my Mac will switch to TextEdit.

You can use the Tab key to shift one App at a time through the list, or you can use the arrows keys or even the mouse/trackpad pointer.

5) Quick Spotlight searching

Certainly one of the most useful keyboard shortcuts is the ability to very quickly bring up the Spotlight search window. This allows you to search your entire file system for a specific document or app, and now in Yosemite, the internet and network content too!

Simply use the ‘cmd/Command’ + ‘Spacebar’ keys together to instantaneously call the Spotlight window:

yosemite quick spotlight search

I typically use this to quickly open an App by typing in the first couple of letters of the App:

yosemite terminal spotlight

6) Windows ‘Delete’ key

When I am training a PC user or a Windows to Mac switcher, many students ask me about how to perform the function of the delete key like in Windows. This seems strange at first, since the Mac keyboard has a Delete key too.

However, the Mac Delete key doesn’t work in the same way; the Mac default Delete key is a ‘Backspace’ key. There is a Delete key, if you have a full size external Mac keyboard. Otherwise, you are stuck with just this Backspace key on Apple portables and the standard USB and Wireless keyboards.

So, how do you perform a ‘Delete’ key function? Well, simply use the ‘Control’ + ‘D’ keys together to delete the next character after the flashing text cursor.

7) ‘Right click’

Another classic from the ‘How to make my Mac act like my PC’ collection is the Right Click. Apple doesn’t give you a right click by default.

In fact, they don’t even give you a right mouse button on their mice or 2 trackpad buttons. There is a good reason for this and it all boils down to Apple’s main goal of having a simple to use “Point and click” interface without the user needing to have to worry about accessing too much information.

However, in reality, most of us want a right click don’t we?

Well, there are options for this. One option is to just add the ‘secondary button’ feature in either the Mouse or Trackpad system preferences.

In the image below, you can see that on my MacBook Pro I can add a ‘secondary click’ to my trackpad in Trackpad system preferences and that there are 3 options. I can either tap with 2 fingers together, click the bottom right corner of the trackpad or bizarrely, I can have a right click by left clicking! :)

right click on os x mouse

The image below also shows the options within the Keyboard & Mouse system preferences for a Mighty Mouse and Mouse preferences for a Magic Mouse. Both have the option to configure a Secondary Button or Secondary Click (for the Mighty Mouse, just select the pull down menu on the right-hand side and change the option from ‘Primary Button’ to ‘Secondary Button’:

mouse options yosemite

os x mouse gestures

The built-in way on ALL Macs to have a right click is to perform a left click but with the ctrl/control key held down. (Commonly known within Apple as a ‘Control Click’. So, if you are using someone else’s Mac, you never need to configure the right click on a mouse or trackpad, just use the control key with the left click!

8) Bring back the Finder window status bar

Since OS X Lion (10.7), the status bar along the bottom of each window has been disabled by default.

Even though, I can understand the reason for this, which is that it took up some screen space providing information that is irrelevant or too technical to most users. However, as a technician, this is something I always want to have available to me. It is a great way to check quickly how much hard disk space is available or even how many files and folders are in the current viewed folder.

There are a few ways to bring this feature back. You can just select ‘Show Status Bar’ from the Finder’s View menu, and you’re done:

bring back finder in os x

Notice below that we now have on all Finder windows the bottom footer displaying the Status Bar:

see storage space in os x

There is an even a quicker way to do this with a keyboard shortcut. Just click ‘CMD/Command’ + ‘/’ keys together to quickly toggle the status bar on and off.

(Refer to the Apple’s support article and information back in Tip 1 for more info on keyboard shortcuts).

9) Show the Finder window path bar

Similar to tip 7, the Finder Path Bar has also been removed in default installations of OS X and the solution is, therefore, also similar. Being able to quickly view the file system path is really useful for navigation and file storage. It also saves having to perform tip 3!

You can just select ‘Show Path Bar’ from the Finder’s View menu, and you’re done:

show os x finder path

Notice below that we now have on all Finder windows the bottom footer displaying the Path Bar:

path finder os x

There is again an even a quicker way to do this with a keyboard shortcut. Just use the ‘Option/alt’, + ‘cmd/Command’ + ‘P’ keys together to quickly toggle the path bar on and off.

10) Show the Finder locations of Recent Items

Most people access the same Apps and Documents regularly, and therefore the Apple Menu’s ‘Recent Items’ feature is really useful:

show finder location of recent items in yosemite

What most people are not aware of, however, is that if you view these Recent Items whilst holding down the ‘cmd/Command’ key, the Finder will now allow you to navigate to the folder that these Recent Items are located in:

view recent items osx yosemite

So there you have it.

The main OS X navigation tips that I find myself showing people that improve their Mac experience and saves them time! I hope you have found this blog useful.

There are many more tips and tricks in the OS X Finder. If you would like to learn more about these or just the Mac in general, then take a look at our collection of introductory training courses. We also have a large collection of Mac and iOS support courses which you may also find useful.

Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

This feature has been tested using OS X Yosemite v10.10.0 which was the latest Mac OS release at the time of writing.

Mac Meetup – Yosemite – 6th November – London

Following Apple’s announcements last night, we have decided to hold a Mac Meetup for everyone in London on 6th November.

We hope that you can join us, which will also feature a 30 min talk and demo on the new features and benefits of Yosemite and iOS 8.

As always, this will be a very informal affair, and a great chance for everyone to catch up with new and old friends alike.

  • 18:30 – Arrive and welcome drinks
  • 19:30 – Yosemite & iOS 8: New features & benefits
  • 20:00 – Close Networking and drinks

Venue: Red Herring, 9 Gresham St, London EC2V 7EH

Please click here to register for your free ticket to next month’s meetup

Have a great weekend and see you on the 6th!

When 16GB is no longer enough!

So a strange thing is happening with iOS 8 adoptions among iOS users. Apple released iOS 8 on the 17th September and within a week the adoption rate was 46% of active App Store users. Three weeks on and the adoption rate is only 47%, an increase of 1%. If you compare this to where iOS 7 was, it was at approximately 70%.

Now things can change, and I’m sure this number will continue to increase but something is different this year. One answer maybe the rocky start iOS 8 has had. The aborted 8.01 certainly didn’t help, and that may have put some people off.

However, there have been a few comments on this subject which ties in with my observations, which may explain the stalled uptake and that is storage.

With iOS 5, Apple introduced “Over The Updates for iOS”. This had a great benefit for users. They no longer had to be tied to iTunes; they could perform updates independently of a computer. In fact with the advent of iCloud backups a lot of users have never connected their iOS device to any type of computer.

With iOS 8, to perform an over the air update you need approximately 5Gb of free space and here lies the problem. On a typical 16GB device, roughly 4GB is taken up by the OS leaving 12GB free. Once you’ve installed apps, taken loads of photos, HD video and slow-mo videos, which doesn’t leave you with a lot of space left. Certainly for most users, this prevents OTA updates for the OS. It’s surprising how many users don’t realise they can update via iTunes, which reduces the amount of space required down to approximately 700MB.

I know of many people in this situation, who have not upgraded for this reason.

But for the time being, spread the word that iTunes is the answer. iOS 8 is a fantastic upgrade so it would be a shame to miss out.

Firefox CCK2 lockdown Casper Extension Attributes

Hey everyone. On another recent project, I had a secondary education client running Firefox, and they wanted to have the customisations installed. Typically I’d fire up CCK2, build them, package the finished product and push this out, as per my blog.

This time, partially because they were using Casper, I wanted a method that would automatically detect if the CCK2 items were not installed, and add these Macs into a smart group. That way (as long as my lockdowns worked); we could deploy the updates to Firefox and have the lockdowns installed without repackaging Firefox each time.

After packaging the lockdowns, I still needed a system that could know when these were missing and put the devices into a group to reapply the CCK. Casper has a cool thing called Extension Attributes (EAs) that, if you can script what you need, Casper can check for it.

After an hour spent writing and testing I created the below EA to accomplish what I needed.

Extension Attribute Configuration

Here’s my EA configuration:

firefox customisations Extension Attribute Configuration

Display Name: An arbitrary value, but it is what’s shown in each computer record so make sure that the results of your EA make sense with it.
Description: Again, arbitrary. Stick what you want here.
Data Type: Use “String” because this will reply with a yes or no, although you could tweak it for 1/0 or true/false.
Inventory Display: Where you want it to go. When you get a fair few EAs, sometimes it’s cleaner to stick them in their own area.
Input Type: Script.

Extension Attribute Script

Here’s my script:

firefox extension script

This breaks down as:

Line 1 The shebang. Lets the device know it’s a bash script
Lines 3, 4 and 5 The directory and two files we are deploying for CCK2. I have loaded them as variables for ease of script re-use and reading
Line 8 This runs a multi-input “if” statement. The use of the double pipes (“||”) denotes “or”. If you swapped these for double ampersands (“&&”) is would denote “and”. So this line says “(if directory ‘$distDir’ does NOT exist) or (if file ‘$overrideFile’ does NOT exist) or (if file ‘$autoconfigFile’ does NOT Exist), do then section between “then” and “else”.
Line 10 and 13 Command line feedback for troubleshooting.
Line 11 Echo into the Casper EA the word “No”. Essentially if any of those items are missing, then at least part of the customisations are missing, and the whole lot should be reinstalled.
Line 14 Echo into the Casper EA the word “Yes”. If none of those items are missing, then the customisations should be in place and working fine.
Line 15 Close the “if” statement.
Line 17 Exit the script.

Usage

So each time one of the client devices submits a recon / runs an inventory it will return a “Yes” or a “No” to its computer record in the Casper JSS. How is this useful?

Well, the next step is to create a computer smart group based on the following check:

“Does the EA ‘Firefox Customisations installed’ = ‘No’”

and this will pick up all the devices that need the CCK2 lockdown installed.

Create a new policy, set it to a frequency of ‘on-going’, scope it to this group and have it re-deploy your packaged CCK2 lockdowns. Job Done!

Next time you push out an update Firefox install, to be honest, I would also manually re-push out my lockdowns in the same policy, but either way, once the Mac runs a recon it will detect the missing lockdown and reinstall it.

Read how to lockdown Firefox 35 using CCK2 and Casper Extension Attributes.

Summary

There you go. I hope it helps someone out and saves you some time. Attached to this blog is an export of the EA. You can download this, upload it to your JSS and tweak it as desired.

Firefox Customisations Installed EA

At some point, I’ll document and share how to do this with Munki too, so the Munki Admins have something to play with!

As always, if you have any questions, queries or comments, let us know below, and I’ll try to respond to and delve into as many as I can.

Add a SharePoint bookmark in Microsoft Office 2011 to 100 Macs using Bash

Making changes on one Mac can easily be made using the GUI interface, but managing a large number of workstations (especially when performing the same operation) can unnecessarily consume too much of your time.

I recently had to add a bookmark for a SharePoint location for Microsoft Office 2011 applications. Doing so on one Mac was very easy by using the GUI interface but deploying the same change to 100 Macs would not have been possible without taking a few days and a few extra white hairs.

Thanks to Darren Wallace, I managed to complete the task with just a couple of terminal lines. I used the PlistBuddy terminal utility to edit the com.microsoft.office.plist file in my Library/Preferences folder.

Great job, I thought to myself. But how do I edit this file on every Mac and in every users’ home folder?

Luckily, the customer had a Casper solution in place that meant I just had to write a script in Bash and let Casper deal with the hard work.

Then I remembered that David Acland, my Technical Director, had written a previous blog about writing data into existing home folders as part of an installation package. I jumped on the web, found the blog, and that was it. I had a piece of art, which could serve as a base for my script.

Recycling scripts is an essential skill in the scripting world. What makes things even easier is that David’s script had invaluably helpful comments under each line. I easily found what I didn’t need and deleted those sections, which essentially made the script universal.

In the loop, I inserted my PlistBuddy commands, and that was it. Job done. In a couple of hours, I had a script that will add SharePoint locations for every user on every Mac in a medium sized organisation.

Here is what the script looks like:

#!/bin/sh
 
counter=`ls /Users | grep "[A-z 0-9]" | grep -c -v -E 'Shared|Guest|.localized|.DS_Store'`
     # Outputs the number of folders in the /Users directory, excluding the Shared & Guest directories
 
 killall cfprefsd
 	# Restarts the process to allow plist changes to be applied
 
     while [ $counter -ne 0 ]
     # Loop start
          do
               targetFolder=`ls /Users | grep "[A-z 0-9]" | grep -v -E 'Shared|Guest|.localized|.DS_Store' | head -$counter | tail -1`
                    # Gets the target folder name. We prefer an ls loop as otherwise you will need to work around non-mobile AD accounts 
                    #and using ls on the /Users folder (or wherever the home folders are on the target Macs) ensures that you only get 
                    #real device “users” and not all of the system accounts.
 
                /usr/libexec/PlistBuddy -c "Add :favoriteslist:Children:0 dict" /Users/$targetFolder/Library/Preferences/com.microsoft.office.plist
                	#Adds new dictionary under favouritelist, under Children
 
                /usr/libexec/PlistBuddy -c "Add :favoriteslist:Children:0:Name string "$4"" /Users/$targetFolder/Library/Preferences/com.microsoft.office.plist
                	#Adds the string Name in the newly created dictionary with a variable in its value $4 that can be replaced by a constant value.
			#The $4 will allow Casper to use custom labels preset in a policy.
 
                /usr/libexec/PlistBuddy -c "Add :favoriteslist:Children:0:URL string "$5"" /Users/$targetFolder/Library/Preferences/com.microsoft.office.plist
                	#Adds the URL string in the newly created dictionary with a variable in its value $5 that can be replaced by a constant value.
			#The $5 will allow Casper to use custom labels preset in a policy.
 
               counter=$(( $counter - 1 ))
                    # Reduces the counter by 1
     	done
 
killall cfprefsd
	# Restarts the process to allow plist changes to be applied
 
exit 0


Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

New iCloud tool released by Apple to verify iOS Activation Lock status

Yesterday, Apple made another webpage available to assist users with iOS security.

This time, the website lets users verify the status of an iOS device’s Activation Lock feature.

Available since iOS 7, Activation Lock is a bolt on to the Find my iPhone service, protecting lost or stolen iOS devices by locking out users who do not know the Apple ID and password registered to that device.

Once activated, without knowing the Apple ID credentials, a user cannot disable Find My iPhone, perform any data wipe or reactivate the device under a different name.

This new tool is primarily aimed at assisting those purchasing a second-hand iOS device who want to make sure they will be able to access the device without chasing the seller for deactivation of Find My iPhone.

This new web-based iCloud tool is accessible here, as shown below:

 

ios activation lock status

You will need to know your iOS device’s IMEI, (International Mobile Equipment Identity) or the serial number and then enter a CAPTCHA phrase:

ios device activation captcha

The iOS device identifier will then be checked against an Apple internal database to confirm if Activation Lock is active or disabled:

ios activation lock on

Certainly if you are purchasing a second-hand iOS device, perhaps from an online selling site such as eBay, or even from a work colleague, friend or family member, this tool could be useful to ensure that the Activation Lock feature is disabled prior to purchase so you can gain full access to the device.

Obviously, a second-hand phone could potentially get locked by the seller AFTER you have checked the status, but before you receive the phone, but this is still better than nothing!

I would say that this is more useful to know that if you are buying a second-hand iOS device and this tool states that Activation Lock is ON. If you then contact the seller and they deactivate it, then by the seller having the ability to deactivate the Activation Lock feature, they should be the legal owner of the device and within their right to sell it to you.

If a device is stolen that has Activation Lock enabled, an illegal seller of that device would not be able to deactivate this feature.

Apple has released patches for the Bash vulnerability

Since the announcement of the vulnerability in Bash, Apple has released patches for Mavericks, Mountain Lion and Lion. It is recommended that you download and install these patches, asap!

 

Nice hidden iOS 8 features

iOS 8 has many new features, some of which perhaps aren’t as widely known. From playing on my iOS device and browsing the browsing the web, I have discovered some of the following hidden gems!

Send your iOS device’s last location to Apple – before your battery drains

If you’ve ever lost or misplaced your iOS device, this new feature allows your device to send its last known location to Apple when the battery drains to a critical level.

This feature was turned off by default on all my devices, to change it you need to:

  • Open Settings
  • Select iCloud | Find my (device)
  • Turn on the option for Send Last Location

FindMyIpad

How to Improve Battery Life

iOS 8.0 has some great new features, but since updating I have been experiencing battery drain. Apple’s OS updates have been known to suffer from this until the release of v*.1.

Until then, here’s what you can do to improve your iOS device’s battery life.

  • Open Settings
  • Select General
  • Select Usage
  • Select Battery Usage

By accessing this feature, which is dependent on what apps you are running, you can reduce battery drain. For example, if you see that the Mail app is using a lot of the battery – then you can change the background refresh settings.

extend your ios devices battery life

Open Desktop Site webpage instead of Mobile version in Safari

When browsing the internet on my iPad, some websites will load a mobile version.
Fortunately, iOS 8 makes loading the desktop version a lot easier:

  • Open Safari
  • Navigate to a website as normal
  • Once the mobile version loads, tap the address field, then swipe down
  • Select the “Request Desktop Site” button that appears

The Shellshock Bug & Workaround

NB: Apple has released the following patches:

This was tested on 10.9.5.

A new vulnerability has been discovered in the bash shell which is affectionately being called “shellshock”. It’s worth pointing out that this is quite serious and should be addressed.

There are some comments on blogs stating that “it’s not as bad as we think” so I will take a moment to explain what it could mean to you so you can make up your own mind.

The bash shell is built into almost every Mac OS X system (I say almost, as some clever person may have decided to remove it from their Mac). The deep, technical description taken from the following site is:

“Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.

For example, an environment variable setting of:

  VAR=() { ignored; }; /bin/id

will execute /bin/id when the environment is imported into the bash process. (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.)

The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation.”

Source: http://seclists.org/oss-sec/2014/q3/650

In a nutshell, this means that the shell has a small bit of code that it runs without question on certain older versions of bash. This code can be modified very easily so the attacker can add their own “bits” into it to give them access to your Mac and do as they wish.

From what I can gather it seems like this is only really a problem for computers that have some kind of external access enabled such as SSH or a web service. Some people have said “well that’s ok, I’m not running a web server”. The problem is, you probably are.

A lot of applications start up a small web service to perform their functions, not to mention the cups service running on port 631 that is accessible through a web browser by going to http://localhost:631.

I took a look at my Mac to do a quick port scan and see if I could “lock things down” but have decided that will be ultimately unachievable without a lot of work.

After a bit of digging, I decided that upgrading my bash shell was the simplest course of action so here are some instructions.

How to upgrade bash in OS X to version 4.3.25 to avoid the shellshock attack:

Its probably worth checking first that you are affected. Run the following command in the terminal and it will report back to say if you are vulnerable:

 env x='() { :;}; echo vulnerable' bash -c 'echo hello'

You can also check the actual version you are using:

 bash --version

You’ll get an output something like:

dave$ bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

It affects versions 1.13 (22 years ago) up to 4.3. I’m running 3.2.51 which is affected.

To start the upgrade process, install brew from the command-line by entering the following command and pressing return:

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Quick note – I had XCode installed on my Mac but I hadn’t launched it since a recent update and so the above command was complaining that it couldn’t run properly. I just had to launch XCode, accept the Ts & Cs and then re-run the command.

Once complete, install the newest version of bash:

brew install bash

In my case it put it into /usr/local/Cellar/bash/4.3.25/bin/bash. The standard place for bash is /bin/bash.

Finally, you can either edit /etc/shells to remove /bin/bash and add the correct path to your new version or replace (after backing up) the default version of bash.

If you do opt to change the path in /etc/shells, make sure you also change the default shell in your user record.

The default shell can be changed from System Preferences or with dscl, but all three options just modify /var/db/dslocal/nodes/Default/users/user.plist

I just backed up the existing /bin/bash with:

mv /bin/bash ~/Desktop/

and dropped in the new version with:

dave$ bash --version
GNU bash, version 4.3.25(1)-release (x86_64-apple-darwin13.4.0)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
 
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

So I am running 4.3.25 which isn’t affected.

As a final check, I run the env check which should fail to run.


Disclaimer:

While the author has taken care to provide our readers with accurate information, please use your discretion before acting upon information based on the blog post. Amsys will not compensate you in any way whatsoever if you ever happen to suffer a loss/inconvenience/damage because of/while making use of information in this blog.

Should I Learn Objective-C or Swift?

learn swift or objective c

Since Apple released the new iOS programming language, Swift, online forums and indeed the Amsys training email inboxes have been awash with questions like, Well – what do I do now? Should I learn Objective-C or Swift?

And our answer has been – both!  Here are our top 3 reasons why you should learn both iOS programming languages.

If you want to be a successful iOS app developer, you will need to understand Objective-C.

Why? Because you will need to understand the framework and the architecture of iOS apps.

Objective-C and the C language has been around for 20 years. Therefore, any iOS developer worth his salt, will need to understand the fundamental building blocks of iOS apps. Amsys Training recommends that you start off with Objective-C and then go on to learn Swift, which will be a walk in the park – as a result.

Every current iOS and OS X App has been developed using Objective-C.

Swift is only in its infancy, and Objective-C won’t be going anywhere for the foreseeable future.

Consequently, your future employer or potential clients will be hiring on the basis that you have at least an intermediate understanding of both languages.

During interviews, you may well be asked a question that refers back to the Objective-C language. If you don’t possess this fundamental knowledge you won’t be able to respond with a confident and correct answer – and you will be shown the door pretty quickly!

You will be lost without Objective-C.

Without learning Objective-C, it will be nigh on impossible to learn the Cocoa libraries (Apple’s native objective oriented application programming interface or APIs). These libraries allow you to add animation, networking and the “native platform appearance and behaviour” to your apps, with just a few lines of code. Once you understand the Cocoa way, the complex nature of Objective-C’s syntax will no longer be a problem.

Plus, as a developer, you will be looking at the source code of a variety of apps, some of which will contain Objective-C, as the two languages can be used side by side. If you don’t know Objective-C, then you simply won’t know what certain lines of code have been created to do.

So… if you’re still at a loss on what do.. learn Objective-C first, and then learn Swift!

iOS developers: Contracting VS permanent roles

The Amsys Careers team has recently been given the task of recruiting a new iOS Development team for one of our clients in Scotland.

Whilst resourcing the large pool of iOS developers in the UK, I have noticed a trend.

It’s still a contractors market.

Permanent is a bad, bad, word for developers – from ‘I only want to work Tuesday to Thursday’ to ‘I don’t work during the day!”  However, with the explosion of  enterprise apps, more and more companies are now looking to recruit in-house teams on a permanent basis with competitive salaries, which provides the kind of security that contracting simply doesn’t.

Pros & Cons of Being a Contractor

PROS CONS
You’re your own boss You’re your own boss
£500+ a day! Where’s my next project?
Make your own hours 18hrs coding still @ day rate
Working from home MacBook’s died! ££££££

 

There is always going to be a market for contract iOS developers, but many of you are missing the optimum chance to use your skills and capabilities to create some great apps whilst having a secure career.

Personal development and training.

Swift is as we all know, the future in app development, which is why Amsys Training has been inundated with bookings for our new Beginning and Advanced Swift courses.

So – should you spend money from your own pocket? Or receive it for free once Amsys Careers finds you that perfect, secure and rewarding new role? Sound interesting find out more here.

Do you know a friend or past colleague looking for their next step?

If you’re happy as a contractor or in your current role, then ask about our fantastic referral scheme! By passing your friend’s details onto Amsys, and when they start their new role, you will be rewarded too.

Which brings me back to my main point; please forgive my ramblings.

My client! They are looking to build a new iOS Development Team. The team, which will take their successful business forward by creating in-house apps across the business, will each receive an enviable salary of £60,000 to £70,000 + benefits; this really is an opportunity not to be missed.

So if you fit the following bill, then apply online today, or call 028 645 5807.

  • Minimum 5 years overall development experience including 1-2 years coding for iOS devices in Objective-C/Cocoa/Xcode  (including SQLite for local storage).
  • Experience of SQL Server (Any Version).
  • Solid knowledge of Git.
  • Experience using web services (e.g. REST, JSON, XML).
  • Experience of working with local storage for offline functionality.
  • Any experience working with iBeacons will be advantageous.
  • A link to a working iOS application that you have created or worked on.
  • Must have commercial software product development experience and not purely building internal or personal software projects.
  • Familiarity with core iOS frameworks.
  • Strong analytical and problem solving skills.

View these roles now:

If you’re interested in hearing more – contact me on 0208 645 5807 or email me at jamesh@amsys.co.uk.

 

Q & A with Cisco’s Meraki

meraki elevated partner

Earlier on this year, we announced that we had joined the Cisco Meraki Elevate Partner Programme, to bring a secure, easy to manage and cost saving cloud networking solution to our SME and Education clients.

We got in touch with Pablo Estrado, who has been with Meraki since January 2011, where he started as a Solution Architect and  is currently the Director of Marketing, to find out about the kind of projects they have been working on and their plans for Meraki.

Who Uses Meraki?

The benefits of a cloud-networking solution aren’t limited to a certain industry or line of business. We have customers in the large enterprise space, in colleges and universities, in retail, healthcare, manufacturing, construction, hospitality and tourism and in large event venues. Customers range in size from the small mom-and-pop coffee shop all the way up to a large enterprise with tens of thousands of employees.

What is Meraki / Cloud Networking

The Cisco Meraki solution is completely web-based so lean IT staff can reconfigure any of their equipment without even being onsite. Our cloud-managed edge and branch networking solutions simplify enterprise-class networks, and includes wireless, switching, security, and devices that are all centrally managed from the cloud.

Via this approach, Cisco Meraki gives network administrators complete visibility and control through a browser-based dashboard, without the cost and complexity of traditional architectures. Administrators are able to gain unmatched visibility into what is happening on their network, all through a single pane of glass that makes managing a network painless.

Why Embrace Cloud Technology?

Just give it a try! We offer three ways to try the solution for free. You can request eval gear, which allows you to try for free any Cisco Meraki product on your network. We provide the technical support to get you set up.

We believe that once you try our solutions, you’ll be amazed at the simplified management and increased visibility into your network activity.

You can also receive a free Meraki access point (AP) by attending a webinar, or you can test drive the Cisco Meraki cloud management platform directly from your browser.

Innovative Examples of Meraki?

Just this summer, the Chevrolet Detroit Belle Isle Grand Prix used Cisco Meraki gear to bring connectivity for journalists and photographers at the event. The network was built on the two floors of the historic, 107-year-old Casino Building on Belle Isle, which was dedicated to media personnel during the race weekend.

A simple design started with a 45Mb/s Internet connection with a backup DSL connection, feeding into a Meraki MX100 Security Appliance and then relayed out to an array of strategically placed switches and wireless access points.

Meraki cloud networking is the perfect solution for events like this one. In the case of the Chevrolet Detroit Belle Isle Grand Prix the network was put together in half a day by the networking team, who had never worked with the equipment before. Meraki’s excellent application and client visibility available in the dashboard allowed the team to manage the network effectively even during peak times.

Financial Benefits For SMEs?

Cisco Meraki solutions allow smaller IT shops to provide their business with a large-scale enterprise experience without the large enterprise price tag. In addition, due to cloud-networking’s easy management capabilities, a smaller IT shop is able to manage a network with less manpower, freeing up IT to focus less on “keeping the lights on” and more on creating innovative IT solutions for the business.

Plans for the future?

We’ve grown our product line quite a bit over the last few years, adding dozens of new switches, access points, and security appliances. We’ve always kept a close eye on the problems our customers face and how we can help them solve those issues.

One of our most popular features is something called the “make a wish button.” This is a place where customers can directly enter suggestions and feedback and about the Meraki product.

It’s available on every page of the web-based dashboard and sends feedback directly to the engineering and product teams. We’re continuing to invest in all our product lines and will use this feedback to help ensure our products meet customer needs.

Favourite Feature of Meraki?

I think the Meraki dashboard – the network management interface – is where Meraki really shows its value. The analytics and insights gained through the dashboard give network administrators real-time actionable data. The tight integration of the dashboard with high-performance hardware that simply works unlocks countless possibilities for administrators – it provides the key to innovation.

 

To find out how your industry peers are already using Meraki, and the benefits the solutions can deliver for your organisation, please watch this free webinar or email support@amsys.co.uk.